15

When acting as a reverse proxy, apache adds x-forwarded headers as described here.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers

In my configuration I have configured server A as a forward proxy. There is a rule like this:

RewriteRule proxy:(.*example.com)/(.*) $1.mysecondserver.com/$2 [P]

This rule lets the server request the resource from one of my other servers.

On the second server (origin) I have a virtual host container for the resource and another rewrite rule like this:

RewriteRule some-regex some-url [P]

It may not seem to make sense like this but there is a lot of other stuff going on that I left out as it is not part of the problem.

However that final request has these headers:

[X-Forwarded-For] => ip of 1st server
[X-Forwarded-Host] => example.myseconserver.com
[X-Forwarded-Server] => example.com

I want those headers gone.

I seem to be unable to unset them with mod_headers. I can add more entries to them, but I can not remove them.

Any ideas?

peterh
  • 11,875
  • 18
  • 85
  • 108
The Surrican
  • 29,118
  • 24
  • 122
  • 168
  • The only way known to me is **[RequestHeader](http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader)** from mod_headers: use to delete these headers, e.g. `RequestHeader unset X-Forwarded-For`. This directive has lower priority and runs **after** mod_rewrite just before the request is run by its handler in the fixup phase. I'm not sure about `X-Forwarded-*` headers, but it works fine for User Agent and similar headers -- no problems removing them – LazyOne Sep 05 '11 at 23:45
  • that is just what i tried but those headers seem not to be editable this way – The Surrican Sep 06 '11 at 18:27

3 Answers3

4

Since Apache 2, as this pretty answer says, the

ProxyAddHeaders Off

theoretically disables it. In my experiences, it had no effect. However, combined with

<Proxy *>
  ProxyAddHeaders Off
</Proxy>

and, with

  RequestHeader unset X-Forwarded-Host
  RequestHeader unset X-Forwarded-For
  RequestHeader unset X-Forwarded-Server

somewhere it started to work.

peterh
  • 11,875
  • 18
  • 85
  • 108
2

corrected answer: there is no way to do that since its hardcoded

to fix this in the source code of mod_proxy_http.c search for the following part:

    apr_table_mergen(r->headers_in, "X-Forwarded-Server",
                 r->server->server_hostname);
}

and immediately after that add this code:

// remove any X-Forwarded headers
apr_table_unset(r->headers_in, "X-Forwarded-For");
apr_table_unset(r->headers_in, "X-Forwarded-Host");
apr_table_unset(r->headers_in, "X-Forwarded-Server");

then compile by running apxs2 -cia mod_proxy_http.c

The Surrican
  • 29,118
  • 24
  • 122
  • 168
  • Can you elaborate on how you made mod_headers work to remove those headers? I can't seem to in apache 2.2 no matter what I try. – Asfand Qazi Jul 25 '13 at 15:31
  • sorry, i un-checked this answer because it does not work. if i remember that correctly there is no way and i ended up patching the module! however i have long switched to nginx since. – The Surrican Jul 26 '13 at 14:20
  • 1
    I think I'll just use Apache 2.4 which allows you to to use ProxyAddHeaders, unless I need more granular control - in which case I will switch to nginx too :) – Asfand Qazi Jul 27 '13 at 17:28
  • i agree with you that this is probably the better way, especially considering nginx – The Surrican Sep 05 '13 at 09:07
  • To be clear, Apache 2.4 has http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyaddheaders which using ProxyAddHeaders Off should do as requested. – becomingwisest May 27 '15 at 17:59
1

I had the same problem on httpd 2.2 on CentOS 5. Installing httpd 2.4 wasn't possible. But because of some reasons I couldn't switch to nginx completly. So I did it by inserting nginx proxy between httpd and the destination address. So I had: httpd(localhost:80/path) -> nginx(localhost:81/path) -> http://your.destination/path. Installation steps are the following:

  1. Install nginx according to these instructions
  2. Configure nginx to avoid security problems.

  3. Add an location in nginx that will remove those httpd's reverse proxy request headers. It can look like this:

    location /path {
    proxy_set_header x-forwarded-for "";
    proxy_set_header x-forwarded-host "";
    proxy_set_header x-forwarded-server "";
    proxy_pass http://your.destination/path;
}
keypress
  • 759
  • 9
  • 12