Ubuntu
libapache2-mod-rpaf package

RPAFproxy_ips are not properly filtered out

Bug #1106821 reported by Harm Verhagen
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
libapache2-mod-rpaf (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

description
=========
In case of multiple proxies in series, mod_rpaf does not take the correct ip address to fill out REMOTE_ADDR.
It takes the _last_ ip address,
 it shoud however take the _last_ ip that is not RPAFproxy_ips.

steps to reproduce
===============

rpaf.conf
<IfModule mod_rpaf-2.0.c>
RPAFenable On
RPAFsethostname On
RPAFproxy_ips 127.0.0.1 ::1
</IfModule>

Have two proxies in series, both adjust header X-Forwarded-For
The https header arriving at apache is: X-Forwarded-For: 92.243.6.7, 127.0.0.1

expected result
=============
REMOTE_ADDRES = 92.243.6.7
It should not take 127.0.0.1 as that is in RPAFproxy_ips

actual result
==========
REMOTE_ADDRESS = 127.0.0.1

It does work correctly when only a single proxy is used.
So when the header is X-Forwarded-For: 92.243.6.7 -> REMOTE_ADDRESS is set correctly

version
======
ubuntu LTS 12.04
libapache2-mod-rpaf 0.6-2

details
======

It seems an old bug (fixed in 5.3) somehow reappered.

 -- Pavel V. Rochnyack <email address hidden> Mon, 02 Nov 2009 13:15:17 +0600

libapache2-mod-rpaf (0.5-3) unstable; urgency=low
....
  * Get last address in the header which is not in RPAFproxy_ips. Closes: #377190.

Revision history for this message
Sergey B Kirpichev (skirpichev) wrote :

Please, test this patch:
http://anonscm.debian.org/gitweb/?p=collab-maint/libapache2-mod-rpaf.git;a=blob;f=debian/patches/010_multiple_proxies.patch

Changed in libapache2-mod-rpaf (Ubuntu):
status: New → Fix Committed
Revision history for this message
Aaron Brady (bradya) wrote :

Hi,

I've compared the version of this package in Lucid and Precise, and the Lucid version worked correctly (as that patch was already part of the Debian packaging).

+1 for affects us too,

Aaron

Revision history for this message
Darren Worrall (dazworrall) wrote :

The patch in #1 applies cleanly and works fine here, we're testing it with real traffic behind a couple of layers of proxy.

Revision history for this message
Darren Worrall (dazworrall) wrote :

What's the next step on this Sergey? Can we get an updated package into -proposed for testing?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libapache2-mod-rpaf - 0.6-9

---------------
libapache2-mod-rpaf (0.6-9) unstable; urgency=low

  * Readd patch 010 (removed in QA upload), LP: #1106821
  * Revert back Homepage: and watch file. http://stderr.net/ seems
    to be alive.

 -- Sergey B Kirpichev <email address hidden> Thu, 28 Feb 2013 19:45:11 +0400

Changed in libapache2-mod-rpaf (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Darren Worrall (dazworrall) wrote :

Can we get this SRU'd into 12.04 Sergey? This is a regression from 10.04 and its hurting us.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.