httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andy Armstrong <an...@apache.org>
Subject Reverse Proxies, REMOTE_ADDR spoofing patch
Date Thu, 25 Nov 2004 10:49:45 GMT
I've been playing around with using Apache 2 as a facade proxy behind 
which I'm hiding around 80 Apache 1.3 and Apache 2 instances. The back 
end servers are running mainly PHP content that I'm hosting for people 
and I want to get round the vulnerabilities that result from everything 
running as 'nobody'.

I'd like people's PHP and CGIs to work without changes which, in some 
cases, means spoofing the value of REMOTE_ADDR to be that of the 
original request (X-Forwarded-For). Having played around fruitlessly 
with SetEnv and mod_rewrite I had a look at the 1.3.33 source and 
concluded that REMOTE_ADDR is populated in ap_add_common_vars() and that 
there's no way to subvert the value that it gets.

I've patched 1.3.33 to provide a new boolean directive 
ProxyFakeRemoteAddr which, when enabled, plucks the value of any 
X-Forwarded-For header and populates REMOTE_ADDR with it. It also 
supresses any attempt to set REMOTE_HOST.

This seems to scratch an itch which I'm not alone in having, adds just a 
few lines and has no effect when its disabled. The one functional 
problem I can with it is that if you erroneously enable it on a server 
that isn't behind a proxy it allows REMOTE_ADDR to be spoofed by setting 
the X-Forwarded-For header.

If the consensus is that it's an ugly bodge I'll happily keep it to 
myself but, judging by the posts that periodically crop up on usenet, it 
would solve a problem for quite a few people.

Shall I post the patch?

-- 
Andy Armstrong


Mime
View raw message