curlhttp-headersipv6apache2.4

X-Forwarded-For 127.0.0.6 when using IPv6

I'm using mod_remoteip with Apache 2.4 to assign the X-Forwarded-For header to the client ip field to properly log the client ip while I'm behind a loadbalancer. The loadbalancer adds the X-Forwaded-For header to each request and accesses the webservers always through IPv6.

As you can see in the following tests the IPv6 requests are just showing the 127.0.0.6 as client IP instead of the real client ip when coming through IPv6 from external. With IPv4 this works just fine.

The loadbancers IP is 2a02:2e0:40c:102::5

The webservers IP is 2a02:2e0:40c:102:1::10

My clients address are 5.199.135.102 + 2001:4ba0:ffff:ea::5

IPv6 request

curl -6 http://foo.bar/ -I

Request / Response on network level on the webserver

####
T 2a02:2e0:40c:102::5:41974 -> 2a02:2e0:40c:102:1::10:80 [AP]
HEAD / HTTP/1.1.
User-Agent: curl/7.29.0.
Host: foo.bar.
Accept: */*.
X-Forwarded-For: 127.0.0.6.
Via: 1.1 [2a02:2e0:40c:ffff::3]:80.
X-Forwarded-For-Port: 57252.
.
##
T 2a02:2e0:40c:102:1::10:80 -> 2a02:2e0:40c:102::5:41974 [AP]
HTTP/1.1 302 Found.
Date: Tue, 30 Aug 2016 21:44:13 GMT.
Server: Apache.
Location: https://foo.bar/.
Content-Type: text/html; charset=iso-8859-1.
.

Apache log output IPv6

"127.0.0.6" 2a02:2e0:40c:102::5 - - [31/Aug/2016:00:07:15 +0200] "HEAD / HTTP/1.1" 302 - "-" "curl/7.29.0"

IPv4 request

curl -4 http://foo.bar/ -I

Request / Response on network level on the webserver

####
T 2a02:2e0:40c:102::5:21050 -> 2a02:2e0:40c:102:1::10:80 [AP]
HEAD / HTTP/1.1.
User-Agent: curl/7.29.0.
Host: foo.bar.
Accept: */*.
Via: 1.1 1.2.3.4:80.
X-Forwarded-For: 5.199.135.102.
X-Forwarded-For-Port: 56352.
.

##
T 2a02:2e0:40c:102:1::10:80 -> 2a02:2e0:40c:102::5:21050 [AP]
HTTP/1.1 302 Found.
Date: Tue, 30 Aug 2016 22:06:08 GMT.
Server: Apache.
Location: https://foo.bar/.
Content-Type: text/html; charset=iso-8859-1.
.
.

Apache log output IPv4

"5.199.135.102" 2a02:2e0:40c:102::5 - - [31/Aug/2016:00:06:08 +0200] "HEAD / HTTP/1.1" 302 - "-" "curl/7.29.0"

Did anyone had this issue before? Let me know if you need further information.

THX in advance - mat1010

Solution

  • In my case the issue was mod_remoteip.

    The loadbalancer masquerades IPv6 addresses whith brackets like this in the via header Via: 1.1 [2a02:2e0:40c:ffff::3]:80

    This is part of the RFC7239 IPv6 address notation due to the fact that it's sometimes necassary to specify the port which is also seperated by a colon.

    mod_remoteip is not able to interpret such addresses. This has been also noted below mod_remoteip documentation within the apache devel version by Lee Maguire.

    I assume that mod_remoteip does not currently support RFC 7239 syntax https://www.rfc-editor.org/rfc/rfc7239

    X-Forwarded-For: 192.0.2.43, 2001:db8:cafe::17

    becomes:

    Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"