Apache connector 3.0 not factoring in RemoteIPHeader like mod_security2

[drmuey]

1. install mod_remoteip && RemoteIPHeader X-Forwarded-For
2. install 3.0 apache connector
3. do a hit w/ X-Forwarded-For: 1.2.3.4
4. 1.2.3.4 is not what is in the audit log
5. try again w/ mod_security2
6. 1.2.3.4 is what is in the audit log

Our friends at immunify 360 who noticed this may have more detailed reproduction steps or other info to add.

Note: at this time we have not tried to see is the NGINX connector behaves the same or not.

[zimmerle]

@drmuey Apache version for 3.0 is not yet ready for production. Please use the version 2.x

[robbytx]

In order to get the real IP to appear in the ModSecurity audit log, I've come up with the workaround of adding it to a header before the RemoteIP module takes effect ModSecurity reads the headers (but apparently after the RemoteIP module takes effect):

RequestHeader append X-Connecting-IP "%{REMOTE_ADDR}s" early

It's admittedly a hack, and the documentation discourages use of the early option, but it's working for me. YMMV.