httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
Date Wed, 23 Sep 2015 01:20:48 GMT
I will try, I'm having trouble coming to terms with the idea because there
is no way
one would ever want private IP info from networks outside of their control
to be
used for access control.

If you require ip 127.0.0.1 for your monitoring app/mod_status for example,
this
suggestion completely destroys your ability to perform that.  Private IP
assignments
are just that, and their inclusion in this module were largely for bridged
private
environments where the administrator has control of both.

On Tue, Sep 22, 2015 at 1:13 PM, Eric Covener <covener@gmail.com> wrote:

> I struggled with the phrasing here, any fine-tuning (or more) appreciated.
>
> Does our default make sense considering the warning at the top of the
> doc? Should we make people specify "RemoteIPTrustedProxy *" if they
> don't want to restrict it?
>
> On Tue, Sep 22, 2015 at 2:11 PM,  <covener@apache.org> wrote:
> > Author: covener
> > Date: Tue Sep 22 18:11:35 2015
> > New Revision: 1704683
> >
> > URL: http://svn.apache.org/viewvc?rev=1704683&view=rev
> > Log:
> > add warnings and emphasize the defaults for trusted non-internal proxies)
> >
> >
> > Modified:
> >     httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> >
> > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> > URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683&r1=1704682&r2=1704683&view=diff
> >
> ==============================================================================
> > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original)
> > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22
> 18:11:35 2015
> > @@ -113,9 +113,12 @@ via the request headers.
> >      <var>header-field</var> header as the useragent IP address, or
list
> >      of intermediate useragent IP addresses, subject to further
> configuration
> >      of the <directive
> module="mod_remoteip">RemoteIPInternalProxy</directive> and
> > -    <directive module="mod_remoteip">RemoteIPTrustedProxy</directive>
> directives.  Unless these
> > -    other directives are used, <module>mod_remoteip</module> will trust
> all
> > -    hosts presenting a <directive
> module="mod_remoteip">RemoteIPHeader</directive> IP value.</p>
> > +    <directive module="mod_remoteip">RemoteIPTrustedProxy</directive>
> directives.</p>
> > +
> > +    <note type="warning"> Unless these other directives are used,
> <module>mod_remoteip</module>
> > +    will trust all hosts presenting a non internal address in the
> > +    <directive module="mod_remoteip">RemoteIPHeader</directive> header
> value.
> > +    </note>
> >
> >      <example><title>Internal (Load Balancer) Example</title>
> >      <highlight language="config">
> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By
> >
> >  <directivesynopsis>
> >  <name>RemoteIPTrustedProxy</name>
> > -<description>Declare client intranet IP addresses trusted to present
> the RemoteIPHeader value</description>
> > +<description>Restrict client IP addresses trusted to present the
> RemoteIPHeader value</description>
> >  <syntax>RemoteIPTrustedProxy
> <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var>
> ...</syntax>
> >  <contextlist><context>server config</context><context>virtual
> host</context></contextlist>
> >
> >  <usage>
> > -    <p>The <directive
> module="mod_remoteip">RemoteIPTrustedProxy</directive> directive adds one
> > -    or more addresses (or address blocks) to trust as presenting a valid
> > -    RemoteIPHeader value of the useragent IP.  Unlike the
> > -    <directive module="mod_remoteip">RemoteIPInternalProxy</directive>
> directive, any intranet
> > +    <p>The <directive
> module="mod_remoteip">RemoteIPTrustedProxy</directive>
> > +    directive restricts which peer IP addresses (or address blocks)
> will be
> > +    trusted to present  a valid RemoteIPHeader value of the useragent
> IP.</p>
> > +
> > +    <p> Unlike the <directive
> module="mod_remoteip">RemoteIPInternalProxy</directive> directive, any
> intranet
> >      or private IP address reported by such proxies, including the 10/8,
> 172.16/12,
> >      192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6
> public
> >      2000::/3 block) are not trusted as the useragent IP, and are left
> in the
> >      <directive module="mod_remoteip">RemoteIPHeader</directive>
> header's value.</p>
> >
> > +    <note type="warning">By default, <module>mod_remoteip</module>
will
> trust
> > +    all hosts presenting a non internal address in the
> > +    <directive module="mod_remoteip">RemoteIPHeader</directive> header
> value.
> > +    </note>
> > +
> >      <example><title>Trusted (Load Balancer) Example</title>
> >          <highlight language="config">
> >  RemoteIPHeader X-Forwarded-For
> > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com
> >
> >  <directivesynopsis>
> >  <name>RemoteIPTrustedProxyList</name>
> > -<description>Declare client intranet IP addresses trusted to present
> the RemoteIPHeader value</description>
> > +<description>Restrict client IP addresses trusted to present the
> RemoteIPHeader value</description>
> >  <syntax>RemoteIPTrustedProxyList <var>filename</var></syntax>
> >  <contextlist><context>server config</context><context>virtual
> host</context></contextlist>
> >
> >
> >
>
>
>
> --
> Eric Covener
> covener@gmail.com
>

Mime
View raw message