Apache is Returning the wrong REMOE_ADDR

Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
setting up a new Apache server, 2.0.59-1. Looking in my access logs it
seems all the requests are coming from IP 98.240.163.0, which is
nowhere near my address range So I setup a simple perl script to show
me my IP:

#!/usr/bin/perl

$RemoteAddress = $ENV{REMOTE_ADDR};
print "Content-type: text/html\n\n";
print "Your IP is: $RemoteAddress";

And it shows the same address. Which of course is not my address.
Anyone know what my issue could be?

Scooter wrote:
> Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
> setting up a new Apache server, 2.0.59-1. Looking in my access logs it
> seems all the requests are coming from IP 98.240.163.0, which is
> nowhere near my address range So I setup a simple perl script to show
> me my IP:
>
> #!/usr/bin/perl
>
> $RemoteAddress = $ENV{REMOTE_ADDR};
> print "Content-type: text/html\n\n";
> print "Your IP is: $RemoteAddress";
>
> And it shows the same address. Which of course is not my address.
> Anyone know what my issue could be?

If you do a print ($_,$ENV{$_}) foreach (keys %ENV);, do you see any
forwarding/proxy values, that do contain your IP?
--
Rik Wasmus

Rik wrote:
> Scooter wrote:
> > Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
> > setting up a new Apache server, 2.0.59-1. Looking in my access logs it
> > seems all the requests are coming from IP 98.240.163.0, which is
> > nowhere near my address range So I setup a simple perl script to show
> > me my IP:
> >
> > #!/usr/bin/perl
> >
> > $RemoteAddress = $ENV{REMOTE_ADDR};
> > print "Content-type: text/html\n\n";
> > print "Your IP is: $RemoteAddress";
> >
> > And it shows the same address. Which of course is not my address.
> > Anyone know what my issue could be?
>
> If you do a print ($_,$ENV{$_}) foreach (keys %ENV);, do you see any
> forwarding/proxy values, that do contain your IP?
> --
> Rik Wasmus
This is the output of my script now:

Your IP is: 98.240.163.0
(SCRIPT_NAME,/ip.pl)
(SERVER_NAME,[my server name])
(SERVER_ADMIN,[server email address])
(HTTP_ACCEPT_ENCODING,gzip, deflate)
(HTTP_CONNECTION,Keep-Alive)
(REQUEST_METHOD,GET)
(HTTP_ACCEPT,*/*)
(SCRIPT_URI,http://[url to script])
(SCRIPT_FILENAME,[path to script])
(HTTP_UA_CPU,x86)
(SERVER_SOFTWARE,Apache)
(QUERY_STRING,)
(REMOTE_PORT,1445)
(HTTP_USER_AGENT,Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
..NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1))
(SERVER_PORT,80)
(SERVER_SIGNATURE,)
(HTTP_ACCEPT_LANGUAGE,en-us)
(REMOTE_ADDR,98.240.163.0)
(SERVER_PROTOCOL,HTTP/1.1)
(PATH,/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin)
(REQUEST_URI,[uri])
(GATEWAY_INTERFACE,CGI/1.1)
(SCRIPT_URL,[url])
(SERVER_ADDR,[ip of server, 10.x.x.x])
(DOCUMENT_ROOT,/www/htdocs/)
(HTTP_HOST,[hostname])

Scooter wrote:

> Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
> setting up a new Apache server, 2.0.59-1. Looking in my access logs it
> seems all the requests are coming from IP 98.240.163.0, which is
> nowhere near my address range So I setup a simple perl script to show
> me my IP:

> #!/usr/bin/perl

> $RemoteAddress = $ENV{REMOTE_ADDR};
> print "Content-type: text/html\n\n";
> print "Your IP is: $RemoteAddress";

> And it shows the same address. Which of course is not my address.
> Anyone know what my issue could be?

What you describe is impossible. Transaction protocol requires a
correct IP Address for two-way communication.

98.240.163.0 sends a request
Apache responds to 98.240.163.0

If this is not your IP Address, you would receive no response
via your browser or other method. An IP Address is like a home
address. Your home address is 123 Main Street. You can only
receive mail at that address. All mail with a different address,
of course, is delivered elsewhere.

Additionally, 98.240.163.0 is a broadcast address, not a usable
IP Address for internet connectivity. IP Addresses ending with
zero or two-fifty-six, both are broadcast addresses, in correct
usage by servers and machines.

Are you using a router? What is the gateway address of your
router? What is your machine address?

Your 98.240.163.0 is not a valid IP Address for general usage.
This appears to be an odd internal router gateway address or
an odd internal machine IP Address.

Nonetheless, you can be sure that is your IP Address.

Purl Gurl

Purl Gurl wrote:
> Scooter wrote:
>
> > Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
> > setting up a new Apache server, 2.0.59-1. Looking in my access logs it
> > seems all the requests are coming from IP 98.240.163.0, which is
> > nowhere near my address range So I setup a simple perl script to show
> > me my IP:
>
> > #!/usr/bin/perl
>
> > $RemoteAddress = $ENV{REMOTE_ADDR};
> > print "Content-type: text/html\n\n";
> > print "Your IP is: $RemoteAddress";
>
> > And it shows the same address. Which of course is not my address.
> > Anyone know what my issue could be?
>
> What you describe is impossible. Transaction protocol requires a
> correct IP Address for two-way communication.
>
> 98.240.163.0 sends a request
> Apache responds to 98.240.163.0
>
> If this is not your IP Address, you would receive no response
> via your browser or other method. An IP Address is like a home
> address. Your home address is 123 Main Street. You can only
> receive mail at that address. All mail with a different address,
> of course, is delivered elsewhere.
>
> Additionally, 98.240.163.0 is a broadcast address, not a usable
> IP Address for internet connectivity. IP Addresses ending with
> zero or two-fifty-six, both are broadcast addresses, in correct
> usage by servers and machines.
>
> Are you using a router? What is the gateway address of your
> router? What is your machine address?
>
> Your 98.240.163.0 is not a valid IP Address for general usage.
> This appears to be an odd internal router gateway address or
> an odd internal machine IP Address.
>
> Nonetheless, you can be sure that is your IP Address.
>
> Purl Gurl

Is your browser set up to use a tcp proxy/gateway server, which might
have been incorrectly given that IP addreses on the internal side?

If so your connection will be going via that IP, it is likely to be a
misconfigured internal IP which should rather be one IP from the 3
reserved ranges. In fact this could be a security risj for your network
and so it should be changed, becuase if the gateway routes packets out
to the same block, you will be leaking data to the internet. As well as
this you could be blocking access _to_ a large amount of IP addresses,
and blocking access to your internal network _from_ them as well!

Purl Gurl wrote:
> Scooter wrote:
>
> > Seems my apache server is returning an incorrect REMOTE_ADDR. I'm
> > setting up a new Apache server, 2.0.59-1. Looking in my access logs it
> > seems all the requests are coming from IP 98.240.163.0, which is
> > nowhere near my address range So I setup a simple perl script to show
> > me my IP:
>
> > #!/usr/bin/perl
>
> > $RemoteAddress = $ENV{REMOTE_ADDR};
> > print "Content-type: text/html\n\n";
> > print "Your IP is: $RemoteAddress";
>
> > And it shows the same address. Which of course is not my address.
> > Anyone know what my issue could be?
>
> What you describe is impossible. Transaction protocol requires a
> correct IP Address for two-way communication.
>
> 98.240.163.0 sends a request
> Apache responds to 98.240.163.0
>
> If this is not your IP Address, you would receive no response
> via your browser or other method. An IP Address is like a home
> address. Your home address is 123 Main Street. You can only
> receive mail at that address. All mail with a different address,
> of course, is delivered elsewhere.
>
> Additionally, 98.240.163.0 is a broadcast address, not a usable
> IP Address for internet connectivity. IP Addresses ending with
> zero or two-fifty-six, both are broadcast addresses, in correct
> usage by servers and machines.
>
> Are you using a router? What is the gateway address of your
> router? What is your machine address?
>
> Your 98.240.163.0 is not a valid IP Address for general usage.
> This appears to be an odd internal router gateway address or
> an odd internal machine IP Address.
>
> Nonetheless, you can be sure that is your IP Address.
>
> Purl Gurl

sorry Purl Gurl there, I just noticed your last paragraph, "odd
internal router gateway address"
credit to you

shimmyshack wrote:
> Purl Gurl wrote:
>>Scooter wrote:

(snipped)

>>>seems all the requests are coming from IP 98.240.163.0, which is

>>Your 98.240.163.0 is not a valid IP Address for general usage.
>>This appears to be an odd internal router gateway address or
>>an odd internal machine IP Address.

> sorry Purl Gurl there, I just noticed your last paragraph, "odd
> internal router gateway address"
> credit to you

Not a problem. I found a handful of references to 98.x.x.x addresses.
There is a "Provider Edge" router associated with VPN and tunneling
which employs the 98.x.x.x IP Address range. Most references I found
label this a "PE" router with no explanation about that type of router.
I have not found any references which discuss a PE router to any extent
which is worthwhile; not much out there.

New to me. I always thought these ranges to be the only private addresses,

10.0.0.0 - 10.255.255.255
169.254.0.0 - 169.254.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Looks the author is accessing his local web server through a LAN
with one of those "PE" routers in the circuit. Some routers are
known to "trick" people if not confuse people about IP Addresses.

An example is when I access our public webserver, purlgurl.net,
my IP Address is recorded as my machine address on our LAN rather
than our static backbone IP Address. For our LAN system, we when
access our web server, email server or DNS server, although our
public static IP Address is returned by DNS, our machines are
routed locally rather than through the internet. Common behavior,
I understand, but strikes me as rather odd behavior.

I am certain he is seeing his LAN address. Something is not quite
right because IP Addresses ending with zero or two-fifty-six are
reserved and most routers will reject attempts to configure for
those end point addresses.

Purl Gurl

Purl Gurl wrote:
> shimmyshack wrote:
> > Purl Gurl wrote:
> >>Scooter wrote:
>
> (snipped)
>
> >>>seems all the requests are coming from IP 98.240.163.0, which is
>
> >>Your 98.240.163.0 is not a valid IP Address for general usage.
> >>This appears to be an odd internal router gateway address or
> >>an odd internal machine IP Address.
>
> > sorry Purl Gurl there, I just noticed your last paragraph, "odd
> > internal router gateway address"
> > credit to you
>
> Not a problem. I found a handful of references to 98.x.x.x addresses.
> There is a "Provider Edge" router associated with VPN and tunneling
> which employs the 98.x.x.x IP Address range. Most references I found
> label this a "PE" router with no explanation about that type of router.
> I have not found any references which discuss a PE router to any extent
> which is worthwhile; not much out there.
>
> New to me. I always thought these ranges to be the only private addresses,
>
> 10.0.0.0 - 10.255.255.255
> 169.254.0.0 - 169.254.255.255
> 172.16.0.0 - 172.31.255.255
> 192.168.0.0 - 192.168.255.255
>
> Looks the author is accessing his local web server through a LAN
> with one of those "PE" routers in the circuit. Some routers are
> known to "trick" people if not confuse people about IP Addresses.
>
> An example is when I access our public webserver, purlgurl.net,
> my IP Address is recorded as my machine address on our LAN rather
> than our static backbone IP Address. For our LAN system, we when
> access our web server, email server or DNS server, although our
> public static IP Address is returned by DNS, our machines are
> routed locally rather than through the internet. Common behavior,
> I understand, but strikes me as rather odd behavior.
>
> I am certain he is seeing his LAN address. Something is not quite
> right because IP Addresses ending with zero or two-fifty-six are
> reserved and most routers will reject attempts to configure for
> those end point addresses.
>
> Purl Gurl

I was testing both from a remote desktop and locally on my apache
server with wget. We do no have any of the "Provider Edge" routers but
regardless of where I was conducting my tests I was receiving the same
odd IP addresses. I was assuming it was just an Apache bug. This is
somewhat similar to my bug but I was not receiving all zeros in my
tests: http://issues.apache.org/bugzilla/show_bug.cgi?id=41404

Scooter wrote:

> Purl Gurl wrote:
>>shimmyshack wrote:
>>>Purl Gurl wrote:
>>>>Scooter wrote:

(snipped - read thread for full context)

>>>>>seems all the requests are coming from IP 98.240.163.0, which is

>>>>Your 98.240.163.0 is not a valid IP Address for general usage.
>>>>This appears to be an odd internal router gateway address or
>>>>an odd internal machine IP Address.

>>I am certain he is seeing his LAN address....

> I was testing both from a remote desktop and locally on my apache
> server with wget.

This would generate the same gateway address, but should not
generate the same machine address; two different machines.

> odd IP addresses. I was assuming it was just an Apache bug. This is
> somewhat similar to my bug but I was not receiving all zeros in my
> tests: http://issues.apache.org/bugzilla/show_bug.cgi?id=41404

REMOTE_ADDR="0.0.0.0"

This is the address of a transparent proxy server very
typical for a Linux machine. I believe this would also
apply to some firmware firewalls. Our Netscreen runs
as 0.0.0.0 for an IP Address. However, this usually is
a firewall between a LAN and the internet; Apache would
not report this address. Might report a transparent proxy
server address serving a LAN, internally, but highly unlikely.

I would not expect an Apache "bug" to return consistent
results for your testing. Two machines, two machine addresses,
which should result in different remote addresses, even if
in error. Typically a bug creates a random effect for errors.

Interesting problem. Have you accessed from outside your LAN?

Purl Gurl

Purl Gurl wrote:
> Scooter wrote:
>
> > Purl Gurl wrote:
> >>shimmyshack wrote:
> >>>Purl Gurl wrote:
> >>>>Scooter wrote:
>
> (snipped - read thread for full context)
>
> >>>>>seems all the requests are coming from IP 98.240.163.0, which is
>
> >>>>Your 98.240.163.0 is not a valid IP Address for general usage.
> >>>>This appears to be an odd internal router gateway address or
> >>>>an odd internal machine IP Address.
>
> >>I am certain he is seeing his LAN address....
>
> > I was testing both from a remote desktop and locally on my apache
> > server with wget.
>
> This would generate the same gateway address, but should not
> generate the same machine address; two different machines.
>
> > odd IP addresses. I was assuming it was just an Apache bug. This is
> > somewhat similar to my bug but I was not receiving all zeros in my
> > tests: http://issues.apache.org/bugzilla/show_bug.cgi?id=41404
>
> REMOTE_ADDR="0.0.0.0"
>
> This is the address of a transparent proxy server very
> typical for a Linux machine. I believe this would also
> apply to some firmware firewalls. Our Netscreen runs
> as 0.0.0.0 for an IP Address. However, this usually is
> a firewall between a LAN and the internet; Apache would
> not report this address. Might report a transparent proxy
> server address serving a LAN, internally, but highly unlikely.
>
> I would not expect an Apache "bug" to return consistent
> results for your testing. Two machines, two machine addresses,
> which should result in different remote addresses, even if
> in error. Typically a bug creates a random effect for errors.
>
> Interesting problem. Have you accessed from outside your LAN?
>
> Purl Gurl


this conversation needs more info.
Do you have more than one NIC on your server machine?
Have you bound apache to a specific IP address?
How have you set your DNS internally on the network, in a hosts file?

exactly from which machines have you connected to apache (the apache
machine and another on your LAN, what does remote mean, outside your
LAN?)

You are narrowing the possibilities, but we still need a little more.