httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r756324 - /httpd/sandbox/mod_remoteip/README
Date Fri, 20 Mar 2009 04:44:02 GMT
Author: wrowe
Date: Fri Mar 20 04:44:01 2009
New Revision: 756324

URL: http://svn.apache.org/viewvc?rev=756324&view=rev
Log:
Update the notes

Modified:
    httpd/sandbox/mod_remoteip/README

Modified: httpd/sandbox/mod_remoteip/README
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/README?rev=756324&r1=756323&r2=756324&view=diff
==============================================================================
--- httpd/sandbox/mod_remoteip/README (original)
+++ httpd/sandbox/mod_remoteip/README Fri Mar 20 04:44:01 2009
@@ -44,7 +44,7 @@
   X-Forwarded-For: origin-client
 
 and a request notes field value of remoteip-proxy-ip-list containing the
-value of "proxy2, gateway"
+value of "proxy2, gateway".
 
 This remoteip-proxy-ip-list may be presented as a request header, by using
 the additional directive RemoteIPProxiesHeader, which specifies the header
@@ -54,32 +54,51 @@
 
 or whatever desired header field should be used.
 
+It's also possible that the IPv6 address is actually an IPv4-over IPv6 
+representation.  Per the expected behavior of Apache httpd, these are
+translated to their IPv4 representations.
 
+When using the advertised client IP address, it's necessary to evaluate the
+trust of the origin of that data, so it becomes necessary to build a list
+of trust for a particular application.  The obvious case are internal proxies,
+which are not subject to tracking (the remoteip-proxy-ip-list will not track
+internal proxies, such as the application gateway machine).  To list these
+trusted internal proxies, specify one or more IP's (or IP prefixes such as
+the pattern "10.", or IP with /subnet bits) using any combination of;
+
+  RemoteIPTrustedProxy [IP|IP/subnet]...
+  RemoteIPInternalProxyList filename
+
+where the filename contains entries, one or more per line, of IP, IP/subnet
+etc, and where blank lines and text following the # comment delimiter are 
+all ignored.
 
-TODO: the immediate improvement in this module on my plate is to add the
-following processing...
-
-However, when using the advertised client IP address, there is absolutely
-no trust that the origin of that data.  It becomes necessary to build a list
-of trust for a particular application.  Public, maintained lists have been
-developed by the following projects;
+The second cases are proxies to be tracked.  Public, maintained lists have 
+been developed by the following projects;
 
  * http://meta.wikimedia.org/wiki/XFF_project
 
+  RemoteIPTrustedProxy [IP|IP/subnet]...
+  RemoteIPTrustedProxyList filename
 
+The Proxy/ProxyList directives should accept hostnames, although these then
+must be translated to IP when added to the table.
 
-There is a second tier of issues.  We may wish to recognize private IP
-addresses, but only when presented by a specific private proxy or group of 
-private proxies.  E.g. one or more intranets may be of interest, but on balance 
-most are not, even coming from otherwise trusted public proxies.  RFC 1918 
-defines these as 10./8, 172.16./12 and 192.168./16, and even 127./8 may be 
-of interest for purposes of testing or remoting one particular box.
+There is a second tier of issues.  We will only recognize private IP
+addresses when presented by a specific internal proxy or chain of internal 
+proxies.  On balance, most private addresses from external trusted proxies
+are not useful.  RFC 1918 defines these as 10./8, 172.16./12 and 192.168./16, 
+and even 127./8 may be of interest for purposes of testing or remoting one 
+particular box.  Other non-extranet patterns are similarly disallowed.
 
 If a given proxy is trusted, but not one of our private proxies, and indicates
 that its immediate X-Forwarded-For pointer is within a private subnet, that
-translation should not occur, and the proxy itself should be treated as the 
+translation will not occur, and the proxy itself should be treated as the 
 client remote IP.  
 
+
+--TO BE RESOLVED --
+
 There is another option that presents itself as suggested by the XFF_project
 crew, which is to create a representation of the IP as {private}-via-{public}
 resolutions, which could serve as a uniquifier within the private domain for
@@ -89,17 +108,14 @@
 private address space is often used, e.g. for Allow from 10. syntax to protect
 intranet resources, some other representation in remote_ip must be used.
 
-
 Interrelated to the issues above, some proxies may present something which is
-not valid IPv4 or IPv6 numeric addressing.  It might be necessary some day to
-perform IP lookup of hostnames perhaps on a further restricted set of trusted
-proxies, as it's easy enough to trigger a DoS though irresolvable host names.
-Therefore it's best to leave this proxy as the remote IP and simply abandon 
-the X-Forwarded-For chain for the application to further evaluate.
-
-It's also possible that the IPv6 address is actually an IPv4-over IPv6 
-representation.  Per the expected behavior of Apache httpd, these should be
-translated to their IPv4 representations.
+not valid IPv4 or IPv6 numeric addressing.  The unoptimized path already uses
+getaddrinfo() or it's equivilant which will perform a reverse hostname lookup.
+It might be desireable to perform IP lookup of hostnames based on only the
+internal, most trusted proxies list, as it's easy enough to trigger a DoS 
+though irresolvable host names.  In those cases it might be best to leave this 
+proxy as the remote IP and simply abandon the X-Forwarded-For chain for the 
+application to further evaluate.
 
 
 Additional security considerations;
@@ -108,5 +124,9 @@
     or blindly trusts a request X-Forwarded-For field without appending its
     own address, the server will falsely evaluate such a chain.
 
+  * If RemoteIPHeader is enabled and no Trusted or Internal proxies are
+    explicitly listed, that RemoteIPHeader value is evaluated without any
+    evaluation of trusted proxies.  [Should this trigger a configure time
+    or run time warning?]
 
  
\ No newline at end of file



Mime
View raw message