httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Date Fri, 14 Sep 2001 18:56:49 GMT
On Fri, Sep 14, 2001 at 11:40:57AM -0700, Justin Erenkrantz wrote:
> On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> > If anything, this is a really minor security hole. If an attacker can
> > get into your system merely by knowing the internal names/IPs or your
> > servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> > or set up a virtual-host to accept the name that brought the requests
> > to the firewall (really, it's just a proxy) in the first place (if you
> > don't care about <HTTP/1.1 requests, which is how it works in practice).
> 
> No, this is a functional error because the browser will use the location 
> field to get the next request (which is not resolvable from the outside
> in most cases with a firewall).  Oops.

To whom are you replying? Yes, it's a functional error, but I think
Bill was more concerned that it may expose possibly private internal names.
You and I have experienced this numerous times with the setup at eBuilt.

-aaron


Mime
View raw message