ModSecurity-apache icon indicating copy to clipboard operation
ModSecurity-apache copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

Apache connector 3.0 not factoring in RemoteIPHeader like mod_security2

Open drmuey opened this issue 3 years ago • 2 comments

  1. install mod_remoteip && RemoteIPHeader X-Forwarded-For
  2. install 3.0 apache connector
  3. do a hit w/ X-Forwarded-For: 1.2.3.4
  4. 1.2.3.4 is not what is in the audit log
  5. try again w/ mod_security2
  6. 1.2.3.4 is what is in the audit log

Our friends at immunify 360 who noticed this may have more detailed reproduction steps or other info to add.

Note: at this time we have not tried to see is the NGINX connector behaves the same or not.

drmuey avatar Apr 15 '21 14:04 drmuey

@drmuey Apache version for 3.0 is not yet ready for production. Please use the version 2.x

zimmerle avatar Apr 15 '21 17:04 zimmerle

In order to get the real IP to appear in the ModSecurity audit log, I've come up with the workaround of adding it to a header before ~~the RemoteIP module takes effect~~ ModSecurity reads the headers (but apparently after the RemoteIP module takes effect):

RequestHeader append X-Connecting-IP "%{REMOTE_ADDR}s" early

It's admittedly a hack, and the documentation discourages use of the early option, but it's working for me. YMMV.

robbytx avatar Jun 05 '21 01:06 robbytx