[PATCH] Prevent mod_proxy_http from adding X-Forwarded-* headers

When used as a reverse proxy via the ProxyPass directive, Apache’s mod_proxy_http module sneakily inserts the following headers into the request sent to the remote server:

  • X-Forwarded-For: The IP address of the client.
  • X-Forwarded-Host: The original host requested by the client in the Host HTTP request header.
  • X-Forwarded-Server: The hostname of the proxy server.

This behavior may be undesirable if we don’t want the remote server to know the request is coming from a proxy. Unfortunately, mod_proxy_http provides no mechanism to turn off the injection of these headers.

The following patch implements support for a new proxy-noxforwardedheaders environment variable. If this variable is set (see SetEnv), mod_proxy_http won’t add any X-Forwarded-* headers to the request.

Tip: If there’s a possibility that your clients may be behind proxy servers of their own, you may want to use RequestHeader unset to remove any X-Forwarded-* headers inserted by upstream proxies. By combining this technique with the patch below, you can guarantee that the remote server will always see proxied requests as coming straight from your mod_proxy host.

--- modules/proxy/mod_proxy_http.c.orig 2010-10-06 05:48:13.000000000 -0500
+++ modules/proxy/mod_proxy_http.c      2011-03-28 17:45:40.000000000 -0500
@@ -805,7 +805,9 @@
      * is used in a reverse proxy configuration, so that useful info
      * about the client can be passed through the reverse proxy and on
      * to the backend server, which may require the information to
-     * function properly.
+     * function properly. As a result, when functioning as a reverse
+     * proxy, X-Forwarded-* headers will be added automatically unless
+     * the proxy-noxforwardedheaders environment variable is set.
      * In a forward proxy situation, these options are a potential
      * privacy violation, as information about clients behind the proxy
@@ -817,7 +819,8 @@
      * ProxyVia option for details.

-    if (PROXYREQ_REVERSE == r->proxyreq) {
+    if (PROXYREQ_REVERSE == r->proxyreq
+         && !apr_table_get(r->subprocess_env, "proxy-noxforwardedheaders")) {
         const char *buf;

         /* Add X-Forwarded-For: so that the upstream has a chance to

One thought on “[PATCH] Prevent mod_proxy_http from adding X-Forwarded-* headers”

Leave a Reply

Your email address will not be published. Required fields are marked *