3

Ok.. this is rather strange, but I need to replace X-forwarded-for value.

We are using SAP B1, and for some various reason, it needs x-forwarded-for contains only one string "https://sap.domain.tld:443" and only that value. No other hosts, and no comma. Exactly as that.

Now, I am using various proxies and cloudflare, thus adding some values in X-forwarded-for that I have to remove to access SAP B1 Web Access. I need all those values removed.

Below is my configuration in apache:

    SSLEngine On
    SSLCertificateFile      /etc/ssl/crt/sap.crt
    SSLCertificateKeyFile /etc/ssl/private/4096.key
    SSLCACertificateFile    /etc/ssl/ca/ca.crt

    SSLProxyEngine On
    SSLProxyCheckPeerCN off
    SSLProxyVerify none
    SSLProxyCheckPeerName off
    SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA$

    ProxyPreserveHost On
    ProxyVia full
    ProxyPass / https://10.1.1.1:8100/
    ProxyPassReverse / https://10.1.1.1:8100/
    ProxyAddHeaders off
    RequestHeader unset X-forwarded-for
    RequestHeader set X-Forwarded-For "https://sap.domain.tld:443"

I have added ProxyAddHeaders off but apache still adds new X-Forwarded-For. How can I remove them all?

prd
  • 596
  • 9
  • 21
  • 1
    X-Forwarded-For format does not include url or scheme. The way to disable those headers is not with "RequestHeader unset" , there is a directive for that "ProxyAddHeaders off" (which is on by default) – ezra-s Feb 28 '18 at 23:53
  • Well, I already have that set. Anything wrong in my config? – prd Mar 01 '18 at 04:01
  • aside from that extra "RequestHeader unset X-forwarded-for", and the incorrect header value you want to set, nothing wrong. – ezra-s Mar 01 '18 at 11:00
  • So, why apache still include previous IP values in X-forwarded-for? Is there a way to remove all of them? I know it is incorrect, but for some reason eluded me, SAP need it that way. – prd Mar 02 '18 at 04:33
  • are you sure you are landing in this virtualhost? ProxyAddHeaders should get rid of that header or at least make Apache not add its own. If you have other values, is there any proxy behind this? – ezra-s Mar 02 '18 at 11:27
  • Yes. I have tried adding `ProxyAddHeaders` on and off. `Off` only adds 1 IP, while `on` has 2 IPs. I've made a special code in nodejs to log these X-forwarded-for headers, and it still shows even with `off` setting. This virtualhost is also behind CloudFlare. Is that a problem? – prd Mar 02 '18 at 13:53
  • Error message from SAP for off setting: `HTTP Status 500 - None of SP's internal[https://sap.domain.tld:8100/dispatcher] and external address[[https://sap.domain.tld:443]] haven't been found in value of the "x-forwarded-for" header [https://sap.domain.tld:443, 111.95.126.59]` – prd Mar 02 '18 at 13:58
  • I tried to bypass Cloudflare, it does not have an effect. Still get one IP Address at X-forwarded-for. Only different IP. – prd Mar 02 '18 at 14:10

1 Answers1

4

I recently ran into a similar problem. For me it turned out that ProxyAddHeaders off didn't work in <VirtualHost> context (despite the docs). After putting the directive in a <Location> context Apache stopped adding X-Forwarded-* headers as expected.

Yours might look as follows...

<Location />
    ...
    ProxyPass https://10.1.1.1:8100/
    ProxyPassReverse https://10.1.1.1:8100/
    ProxyAddHeaders off
    RequestHeader unset X-forwarded-for
    RequestHeader set X-Forwarded-For "https://sap.domain.tld:443"
</Location>
Jörg Schulz
  • 151
  • 3