mod_remoteip.html.en revision 9a58dc6a2b26ec128b1270cf48810e705f1a90db
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe This file is generated from xml source: DO NOT EDIT
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/images/favicon.ico" rel="shortcut icon" /></head>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
0066eddda7203f6345b56f77d146a759298dc635gryzor<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English"> en </a> |
0066eddda7203f6345b56f77d146a759298dc635gryzor<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Replaces the apparent client remote IP address and hostname
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsffor the request with the IP address list presented by a proxies or a load
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowebalancer via the request headers.
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>remoteip_module</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_remoteip.c</td></tr></table>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>This module is used to treat the remote host which initiated the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe request as the originating remote host as identified by httpd for the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe purposes of authorization and logging, even where that remote host is
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe behind a load balancer, front end server, or proxy server.</p>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>The module replaces the apparent remote (client) IP/hostname for
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the request with the IP address reported in the request header
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe configured with the <code class="directive">RemoteIPHeader</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>Once replaced as instructed, this apparent IP address is then used
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe for <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> features
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive"><a href="/mod/mod_authz_host.html#require host"><Require host></a></code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe and <code class="directive"><a href="/mod/mod_authz_host.html#require ip"><Require ip></a></code>,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe is reported by <code class="module"><a href="/mod/mod_status.html">mod_status</a></code>, and is recorded by
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code> <code>%a</code> and <code>%h</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf directives. It also determines the machine probed for an inetd
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf identity by <code class="module"><a href="/mod/mod_ident.html">mod_ident</a></code> based on the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive"><a href="/mod/mod_ident.html#identitycheck">IdentityCheck</a></code> configuration.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="warning">It is critical to only enable this behavior from
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe intermediate hosts (proxies, etc) which are trusted by this server, since
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe it is trivial for the remote client to impersonate another client.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="quickview"><h3 class="directives">Directives</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipheader">RemoteIPHeader</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxylist">RemoteIPInternalProxyList</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxylist">RemoteIPTrustedProxyList</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#processing">Remote IP Processing</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_status.html">mod_status</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_ident.html">mod_ident</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<h2><a name="processing" id="processing">Remote IP Processing</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>Apache identifies the client with the connection's remote_ip value,
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf and the connection remote_host and remote_logname are derived from this
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf value. These fields play a role in authentication, authorization and
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe logging and other purposes by other loadable modules.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>mod_remoteip replaces the true remote_ip with the advertised remote_ip as
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe provided by a proxy, for every evaluation of the client that occurs in the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf server, and resets the remote_host and remote_logname values to trigger a
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe fresh dns or ident query of the remote IP address.</p>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>When multiple, comma delimited remote IP addresses are listed in the
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun header value, they are processed in Right-to-Left order. Processing
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun halts when a given remote IP address is not trusted to present the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf preceeding IP address. The header field is updated to this remaining
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe list of unconfirmed IP addresses, or if all IP addresses were trusted,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe this header is removed from the request altogether.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>In replacing the remote_ip, the module stores the list of intermediate
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe hosts in a remoteip-proxy-ip-list note, which <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe can record using the <code>%{remoteip-proxy-ip-list}n</code> format token.
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe If the administrator needs to store this as an additional header, this
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe same value can also be recording as a header using the directive
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPProxiesHeader</code>.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="note"><h3>IPv4-over-IPv6 Mapped Addresses</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe As with httpd in general, any IPv4-over-IPv6 mapped addresses are recorded
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe in their IPv4 representation.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="note"><h3>Internal (Private) Addresses</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe All internal addresses 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe blocks (and IPv6 addresses outside of the public 2000::/3 block) are only
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe evaluated by mod_remoteip when <code class="directive">RemoteIPInternalProxy</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf internal (intranet) proxies are registered.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPHeader" id="RemoteIPHeader">RemoteIPHeader</a> <a name="remoteipheader" id="remoteipheader">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which should be parsed for client IP addresses</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPHeader <var>header-field</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>The <code class="directive">RemoteIPHeader</code> directive triggers
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> to treat the value of the specified
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <var>header-field</var> header as the client IP address, or list
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf of intermediate client IP addresses, subject to further configuration
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe of the <code class="directive">RemoteIPInternalProxy</code> and
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPTrustedProxy</code> directives. Unless these
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe other directives are used, <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will trust all
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe hosts presenting a <code class="directive">RemoteIPHeader</code> IP value.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPInternalProxy" id="RemoteIPInternalProxy">RemoteIPInternalProxy</a> <a name="remoteipinternalproxy" id="remoteipinternalproxy">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPInternalProxy</code> directive adds one
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or more addresses (or address blocks) to trust as presenting a valid
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader value of the client IP. Unlike the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPTrustedProxy</code> directive, any IP address
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf presented in this header, including private intranet addresses, are
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe trusted when passed from these proxies.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy gateway.localdomain
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPInternalProxyList" id="RemoteIPInternalProxyList">RemoteIPInternalProxyList</a> <a name="remoteipinternalproxylist" id="remoteipinternalproxylist">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxyList <var>filename</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPInternalProxyList</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a file parsed at startup, and builds a list of addresses (or address blocks)
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The '<code>#</code>' hash character designates a comment line, otherwise
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun each whitespace or newline separated entry is processed identically to
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the <code class="directive">RemoteIPInternalProxy</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>conf/trusted-proxies.lst contents</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe # Our internally trusted proxies;<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe gateway.localdomain #The front end balancer
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPProxiesHeader" id="RemoteIPProxiesHeader">RemoteIPProxiesHeader</a> <a name="remoteipproxiesheader" id="remoteipproxiesheader">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which will record all intermediate IP addresses</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPProxiesHeader <var>HeaderFieldName</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPProxiesHeader</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a header into which <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will collect a list of
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe all of the intermediate client IP addresses trusted to resolve the actual
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe remote IP. Note that intermediate <code class="directive">RemoteIPTrustedProxy</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf addresses are recorded in this header, while any intermediate
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPInternalProxy</code> addresses are discarded.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPProxiesHeader X-Forwarded-By
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPTrustedProxy" id="RemoteIPTrustedProxy">RemoteIPTrustedProxy</a> <a name="remoteiptrustedproxy" id="remoteiptrustedproxy">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPTrustedProxy</code> directive adds one
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or more addresses (or address blocks) to trust as presenting a valid
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader value of the client IP. Unlike the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <code class="directive">RemoteIPInternalProxy</code> directive, any intranet
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or private IP address reported by such proxies, including the 10/8, 172.16/12,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf 2000::/3 block) are not trusted as the remote IP, and are left in the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPHeader</code> header's value.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Trusted (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy proxy.example.com
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPTrustedProxyList" id="RemoteIPTrustedProxyList">RemoteIPTrustedProxyList</a> <a name="remoteiptrustedproxylist" id="remoteiptrustedproxylist">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxyList <var>filename</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPTrustedProxyList</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a file parsed at startup, and builds a list of addresses (or address blocks)
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The '<code>#</code>' hash character designates a comment line, otherwise
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe each whitespace or newline seperated entry is processed identically to
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the <code class="directive">RemoteIPTrustedProxy</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Trusted (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>conf/trusted-proxies.lst contents</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe # Identified external proxies;<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe proxy.isp.example.com #some well known ISP
0066eddda7203f6345b56f77d146a759298dc635gryzor<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English"> en </a> |
0066eddda7203f6345b56f77d146a759298dc635gryzor<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a></p>
9c1260efa52c82c2a58e5b5f20cd6902563d95f5rbowen<p class="apache">Copyright 2011 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>