mod_remoteip.html.en revision 9a58dc6a2b26ec128b1270cf48810e705f1a90db
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<?xml version="1.0" encoding="ISO-8859-1"?>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe This file is generated from xml source: DO NOT EDIT
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe -->
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<title>mod_remoteip - Apache HTTP Server</title>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<link href="/images/favicon.ico" rel="shortcut icon" /></head>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<body>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="page-header">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<p class="apache">Apache HTTP Server Version 2.3</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<img alt="" src="/images/feather.gif" /></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="path">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.3</a> &gt; <a href="./">Modules</a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="page-content">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="preamble"><h1>Apache Module mod_remoteip</h1>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="toplang">
0066eddda7203f6345b56f77d146a759298dc635gryzor<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English">&nbsp;en&nbsp;</a> |
0066eddda7203f6345b56f77d146a759298dc635gryzor<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a></p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Replaces the apparent client remote IP address and hostname
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsffor the request with the IP address list presented by a proxies or a load
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowebalancer via the request headers.
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>remoteip_module</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_remoteip.c</td></tr></table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<h3>Summary</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>This module is used to treat the remote host which initiated the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe request as the originating remote host as identified by httpd for the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe purposes of authorization and logging, even where that remote host is
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe behind a load balancer, front end server, or proxy server.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>The module replaces the apparent remote (client) IP/hostname for
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the request with the IP address reported in the request header
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe configured with the <code class="directive">RemoteIPHeader</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>Once replaced as instructed, this apparent IP address is then used
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe for <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code> features
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive"><a href="/mod/mod_authz_host.html#require host">&lt;Require host&gt;</a></code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe and <code class="directive"><a href="/mod/mod_authz_host.html#require ip">&lt;Require ip&gt;</a></code>,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe is reported by <code class="module"><a href="/mod/mod_status.html">mod_status</a></code>, and is recorded by
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code> <code>%a</code> and <code>%h</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf directives. It also determines the machine probed for an inetd
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf identity by <code class="module"><a href="/mod/mod_ident.html">mod_ident</a></code> based on the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive"><a href="/mod/mod_ident.html#identitycheck">IdentityCheck</a></code> configuration.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="warning">It is critical to only enable this behavior from
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe intermediate hosts (proxies, etc) which are trusted by this server, since
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe it is trivial for the remote client to impersonate another client.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div id="quickview"><h3 class="directives">Directives</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<ul id="toc">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipheader">RemoteIPHeader</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxy">RemoteIPInternalProxy</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipinternalproxylist">RemoteIPInternalProxyList</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteipproxiesheader">RemoteIPProxiesHeader</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxy">RemoteIPTrustedProxy</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#remoteiptrustedproxylist">RemoteIPTrustedProxyList</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</ul>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<h3>Topics</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<ul id="topics">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><img alt="" src="/images/down.gif" /> <a href="#processing">Remote IP Processing</a></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</ul><h3>See also</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<ul class="seealso">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_status.html">mod_status</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<li><code class="module"><a href="/mod/mod_ident.html">mod_ident</a></code></li>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</ul></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="section">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<h2><a name="processing" id="processing">Remote IP Processing</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>Apache identifies the client with the connection's remote_ip value,
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf and the connection remote_host and remote_logname are derived from this
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf value. These fields play a role in authentication, authorization and
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe logging and other purposes by other loadable modules.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>mod_remoteip replaces the true remote_ip with the advertised remote_ip as
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe provided by a proxy, for every evaluation of the client that occurs in the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf server, and resets the remote_host and remote_logname values to trigger a
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe fresh dns or ident query of the remote IP address.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>When multiple, comma delimited remote IP addresses are listed in the
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun header value, they are processed in Right-to-Left order. Processing
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun halts when a given remote IP address is not trusted to present the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf preceeding IP address. The header field is updated to this remaining
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe list of unconfirmed IP addresses, or if all IP addresses were trusted,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe this header is removed from the request altogether.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>In replacing the remote_ip, the module stores the list of intermediate
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe hosts in a remoteip-proxy-ip-list note, which <code class="module"><a href="/mod/mod_log_config.html">mod_log_config</a></code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe can record using the <code>%{remoteip-proxy-ip-list}n</code> format token.
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe If the administrator needs to store this as an additional header, this
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe same value can also be recording as a header using the directive
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPProxiesHeader</code>.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="note"><h3>IPv4-over-IPv6 Mapped Addresses</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe As with httpd in general, any IPv4-over-IPv6 mapped addresses are recorded
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe in their IPv4 representation.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="note"><h3>Internal (Private) Addresses</h3>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe All internal addresses 10/8, 172.16/12, 192.168/16, 169.254/16 and 127/8
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe blocks (and IPv6 addresses outside of the public 2000::/3 block) are only
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe evaluated by mod_remoteip when <code class="directive">RemoteIPInternalProxy</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf internal (intranet) proxies are registered.</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPHeader" id="RemoteIPHeader">RemoteIPHeader</a> <a name="remoteipheader" id="remoteipheader">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which should be parsed for client IP addresses</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPHeader <var>header-field</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <p>The <code class="directive">RemoteIPHeader</code> directive triggers
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> to treat the value of the specified
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <var>header-field</var> header as the client IP address, or list
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf of intermediate client IP addresses, subject to further configuration
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe of the <code class="directive">RemoteIPInternalProxy</code> and
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPTrustedProxy</code> directives. Unless these
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe other directives are used, <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will trust all
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe hosts presenting a <code class="directive">RemoteIPHeader</code> IP value.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Proxy Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPInternalProxy" id="RemoteIPInternalProxy">RemoteIPInternalProxy</a> <a name="remoteipinternalproxy" id="remoteipinternalproxy">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPInternalProxy</code> directive adds one
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or more addresses (or address blocks) to trust as presenting a valid
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader value of the client IP. Unlike the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPTrustedProxy</code> directive, any IP address
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf presented in this header, including private intranet addresses, are
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe trusted when passed from these proxies.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy 10.0.2.0/24<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy gateway.localdomain
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPInternalProxyList" id="RemoteIPInternalProxyList">RemoteIPInternalProxyList</a> <a name="remoteipinternalproxylist" id="remoteipinternalproxylist">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPInternalProxyList <var>filename</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPInternalProxyList</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a file parsed at startup, and builds a list of addresses (or address blocks)
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The '<code>#</code>' hash character designates a comment line, otherwise
27dcd8d81085fd60aadcd8a9bad35a607b26b758nilgun each whitespace or newline separated entry is processed identically to
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the <code class="directive">RemoteIPInternalProxy</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Internal (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Client-IP<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxyList conf/trusted-proxies.lst
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>conf/trusted-proxies.lst contents</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe # Our internally trusted proxies;<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe 10.0.2.0/24 #Everyone in the testing group<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe gateway.localdomain #The front end balancer
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPProxiesHeader" id="RemoteIPProxiesHeader">RemoteIPProxiesHeader</a> <a name="remoteipproxiesheader" id="remoteipproxiesheader">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare the header field which will record all intermediate IP addresses</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPProxiesHeader <var>HeaderFieldName</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPProxiesHeader</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a header into which <code class="module"><a href="/mod/mod_remoteip.html">mod_remoteip</a></code> will collect a list of
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe all of the intermediate client IP addresses trusted to resolve the actual
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe remote IP. Note that intermediate <code class="directive">RemoteIPTrustedProxy</code>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf addresses are recorded in this header, while any intermediate
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPInternalProxy</code> addresses are discarded.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPProxiesHeader X-Forwarded-By
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPTrustedProxy" id="RemoteIPTrustedProxy">RemoteIPTrustedProxy</a> <a name="remoteiptrustedproxy" id="remoteiptrustedproxy">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPTrustedProxy</code> directive adds one
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or more addresses (or address blocks) to trust as presenting a valid
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader value of the client IP. Unlike the
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf <code class="directive">RemoteIPInternalProxy</code> directive, any intranet
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe or private IP address reported by such proxies, including the 10/8, 172.16/12,
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf 2000::/3 block) are not trusted as the remote IP, and are left in the
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <code class="directive">RemoteIPHeader</code> header's value.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Trusted (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy 10.0.2.16/28<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxy proxy.example.com
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="directive-section"><h2><a name="RemoteIPTrustedProxyList" id="RemoteIPTrustedProxyList">RemoteIPTrustedProxyList</a> <a name="remoteiptrustedproxylist" id="remoteiptrustedproxylist">Directive</a></h2>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<table class="directive">
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>RemoteIPTrustedProxyList <var>filename</var></code></td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Base</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_remoteip</td></tr>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</table>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The <code class="directive">RemoteIPTrustedProxyList</code> directive specifies
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe a file parsed at startup, and builds a list of addresses (or address blocks)
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe to trust as presenting a valid RemoteIPHeader value of the client IP.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <p>The '<code>#</code>' hash character designates a comment line, otherwise
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe each whitespace or newline seperated entry is processed identically to
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe the <code class="directive">RemoteIPTrustedProxy</code> directive.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>Trusted (Load Balancer) Example</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPHeader X-Forwarded-For<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe RemoteIPTrustedProxyList conf/trusted-proxies.lst
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe <div class="example"><h3>conf/trusted-proxies.lst contents</h3><p><code>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe # Identified external proxies;<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe 192.0.2.16/28 #wap phone group of proxies<br />
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe proxy.isp.example.com #some well known ISP
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe </code></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<div class="bottomlang">
0066eddda7203f6345b56f77d146a759298dc635gryzor<p><span>Available Languages: </span><a href="/en/mod/mod_remoteip.html" title="English">&nbsp;en&nbsp;</a> |
0066eddda7203f6345b56f77d146a759298dc635gryzor<a href="/fr/mod/mod_remoteip.html" hreflang="fr" rel="alternate" title="Fran�ais">&nbsp;fr&nbsp;</a></p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</div><div id="footer">
9c1260efa52c82c2a58e5b5f20cd6902563d95f5rbowen<p class="apache">Copyright 2011 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>
5f4e50966b2b9b58436a1651cbe588d1b595657ewrowe</body></html>