httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r748703 - /httpd/sandbox/mod_remoteip/README
Date Fri, 27 Feb 2009 21:16:26 GMT
Author: wrowe
Date: Fri Feb 27 21:16:26 2009
New Revision: 748703

Additional considerations


Modified: httpd/sandbox/mod_remoteip/README
--- httpd/sandbox/mod_remoteip/README (original)
+++ httpd/sandbox/mod_remoteip/README Fri Feb 27 21:16:26 2009
@@ -81,6 +81,18 @@
 intranet resources, some other representation in remote_ip must be used.
+Interrelated to the issues above, some proxies may present something which is
+not valid IPv4 or IPv6 numeric addressing.  It might be necessary some day to
+perform IP lookup of hostnames perhaps on a further restricted set of trusted
+proxies, as it's easy enough to trigger a DoS though irresolvable host names.
+Therefore it's best to leave this proxy as the remote IP and simply abandon 
+the X-Forwarded-For chain for the application to further evaluate.
+It's also possible that the IPv6 address is actually an IPv4-over IPv6 
+representation.  Per the expected behavior of Apache httpd, these should be
+translated to their IPv4 representations.
 Additional security considerations;
   * Trust is absolute.  If the trusted proxy is subject to an MITM attack,

View raw message