httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r748703 - /httpd/sandbox/mod_remoteip/README
Date Fri, 27 Feb 2009 21:16:26 GMT
Author: wrowe
Date: Fri Feb 27 21:16:26 2009
New Revision: 748703

URL: http://svn.apache.org/viewvc?rev=748703&view=rev
Log:
Additional considerations

Modified:
    httpd/sandbox/mod_remoteip/README

Modified: httpd/sandbox/mod_remoteip/README
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/README?rev=748703&r1=748702&r2=748703&view=diff
==============================================================================
--- httpd/sandbox/mod_remoteip/README (original)
+++ httpd/sandbox/mod_remoteip/README Fri Feb 27 21:16:26 2009
@@ -81,6 +81,18 @@
 intranet resources, some other representation in remote_ip must be used.
 
 
+Interrelated to the issues above, some proxies may present something which is
+not valid IPv4 or IPv6 numeric addressing.  It might be necessary some day to
+perform IP lookup of hostnames perhaps on a further restricted set of trusted
+proxies, as it's easy enough to trigger a DoS though irresolvable host names.
+Therefore it's best to leave this proxy as the remote IP and simply abandon 
+the X-Forwarded-For chain for the application to further evaluate.
+
+It's also possible that the IPv6 address is actually an IPv4-over IPv6 
+representation.  Per the expected behavior of Apache httpd, these should be
+translated to their IPv4 representations.
+
+
 Additional security considerations;
 
   * Trust is absolute.  If the trusted proxy is subject to an MITM attack,



Mime
View raw message