httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: 301 Redirect through a firewall... Possible to hide the origin server ip address?
Date Fri, 14 Sep 2001 19:45:39 GMT
On Fri, Sep 14, 2001 at 11:59:29AM -0700, Ryan Bloom wrote:
> On Friday 14 September 2001 11:40 am, Justin Erenkrantz wrote:
> > On Fri, Sep 14, 2001 at 11:26:37AM -0700, Aaron Bannert wrote:
> > > If anything, this is a really minor security hole. If an attacker can
> > > get into your system merely by knowing the internal names/IPs or your
> > > servers then you are in trouble. Either do what Ryan said (for HTTP/1.0),
> > > or set up a virtual-host to accept the name that brought the requests
> > > to the firewall (really, it's just a proxy) in the first place (if you
> > > don't care about <HTTP/1.1 requests, which is how it works in practice).
> >
> > No, this is a functional error because the browser will use the location
> > field to get the next request (which is not resolvable from the outside
> > in most cases with a firewall).  Oops.
> This is not a functional error, it is a config error.  The origin server can
> NOT know what the proxy's server name is, unless it is in the config file.
> If the config is fixed, the problem will go away.

As far as the browser is concerned, it is a functional error.
On our side, it is a configuration error.

You guys were saying that it was a security flaw - it is more than
that because the web browser can't request the correct page.  -- justin

View raw message