httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jie Gao <J....@isu.usyd.edu.au>
Subject Re: feature proposal
Date Tue, 15 Mar 2005 03:59:54 GMT



On Mon, 14 Mar 2005, Joshua Slive wrote:

> Date: Mon, 14 Mar 2005 22:20:39 -0500
> From: Joshua Slive <joshua@slive.ca>
> Reply-To: dev@httpd.apache.org
> To: dev@httpd.apache.org
> Subject: Re: feature proposal
>
>
> On Tue, 15 Mar 2005 13:25:52 +1100 (EST), "Jie Gao"
> <J.Gao@isu.usyd.edu.au> said:
> > Hi All,
> >
> > Apache is already passing client IP addr to the backend server via a
> > mechanism of headers:
> >
> > X-Forwarded-For
> > X-Forwarded-Host
> > X-Forwarded-Server
> >
> > The difficulty is that very often the backend server is an Apache
> > server from a vendor, and any changes to the server will void support.
> > There are also circumstances in which you simply can't re-recompile
> > it.
> >
> > It would be very helpful if Apache has configuration directives in the
> > core to get those headers (with conditions) in the server configuration
> > so that acl and logging based on the "real" IP addresses can work.
>
> You can do this already, with a tiny bit of work.
>
> For the logs, replace %h with %{X-Forwarded-For}i in your LogFormat.
>
> For access restrictions
> SetEnvIf X-Forwarded-For ^123\.456\.789\.123$ badguy
> Order allow,deny
> Allow from all
> Deny from env=badguy
>
> Not quite as simple and flexible (you can't do reverse lookups on IPs,
> for example), but it seems to me that making it easy to simply replace
> REMOTE_HOST with X-Forwarded-For could lead to security problems.  There

Yes, there is a security concern with that setup. I can only trust
X-Forwarded-For when the request is proxied from my front-end server.

Really, to think of it, this feature is a bit tricky to add: on the one
hand, Apache knows who it is talking to and on the other hand, it needs
to let the acl mechanism know the client is really another one.

> is probably a module that will do it for you, however.

I could write the module myself, but the point is I cannot touch (read:
recompile) the backend server

Regards,


Jie

Mime
View raw message