Re: [mod-security-users] Missing X-Client-IP header
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Missing X-Client-IP header
|
From: Reindl H. <h.r...@th...> - 2016-03-11 09:42:06
|
Am 11.03.2016 um 09:55 schrieb Barry Pollard:
> I disagree. The OWASP CRS even has a rule in modsecurity_crs_10_setup.conf.example to handle this scenario (using x-forwarded-for header but that can be updated to X-Client-IP):
>
> SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \
> "id:'900019', \
> phase:1, \
> t:none, \
> capture, \
> setvar:tx.real_ip=%{tx.1}, \
> nolog, \
> pass"
that makes it not better but even worse
in a proper setup the httpd server translates the proxy header
transparent based on your configuration and if it contained only one IP
address the whole header is removed after that
finally that means in a proper setup a remaining "x-forwarded-for" *is
not* the real-ip but a random "x-forwarded-for" header from *foreign
networks* and any rule based on such wrong assumptions is broken and
dangerous
there is not "but" of "if" - we talk about security - period
read the paragraph "Remote IP Processing" and you understand why
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
it took a long dicsussion to get mod_security fixed to work proper with
Apache 2.4 and for Apache 2.2 there was "mod_rpaf"
frankly in recent httpd versions you can even distinct between
REMOTE_ADDR and CONN_REMOTE_ADDR to support TLS-offloading on a proxy
and treat clients which bypasses the proxy different
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{CONN_REMOTE_ADDR} !^127\.0\.0\.1
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
|
