httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: ProxyBlock question
Date Tue, 24 Jul 2012 10:48:57 GMT
On 24.07.2012 11:22, Joe Orton wrote:
> On Tue, Jul 24, 2012 at 10:46:12AM +0200, Rainer Jung wrote:
>> IMHO if the admin explicitely configured an IP in the ProxyBlock
>> list we should nevertheless check. For this case there's already a
>> somewhat related warning in the docs which we could enhance for this
>> new case.
>>
>> It looks like we could check whether we have an explicit IP during
>> set_proxy_exclude() by comparing new->name and apr_sockaddr_ip_get()
>> of new->addr and later do the IP lookup for the target host only for
>> those rules where we had an explicit IP.
>>
>> Not sure whether apr_sockaddr_ip_get() applied to the result of
>> apr_sockaddr_info_get() applied to an IP gives back the same IP,
>> e.g. when there's IPv4 and v6 involved.
>
> Right, with a v6 address there can be multiple representations of the
> same address so that wouldn't be reliable.
>
> This seems to pile caveat on top of caveat; is it really necessary?
> ProxyBlock is not even documented to take literal IP addresses, but
> rather "*|word|host|domain".  Adding a special case for a literal IP
> will add significant complexity here; is it useful?  If there is a
> forward proxy configured why can't that proxy block the IP address?

You are right, I got the feature form the code not really from the docs. 
We might remov the sentence "rocky.wotsamattau.edu would also be matched 
if referenced by IP address." though or explain the limitations. Now 
that we have understood it, that's easy. So I'm OK with not supporting 
checking the request IP in the case we use another proxy.

> (But reading that code again, you also lead me to another bug; the use
> of apr_sockaddr_ip_get() against resolved addresses on the ->noproxies
> list looks to be leaky/unsafe, it will allocate memory out of pconf each
> time we check a resolved address!)

:(

Thanks!

Rainer


Mime
View raw message