httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: mood_remoteip ProxyProtocol addition
Date Tue, 07 Feb 2017 22:50:49 GMT
On Tue, Feb 7, 2017 at 11:34 PM, Reindl Harald <h.reindl@thelounge.net> wrote:
>
> Am 07.02.2017 um 22:53 schrieb Yann Ylavic:
>>
>> I mean the application can know about "X-Forwarded-Proto or whatever"
>> header, it could act with it like it does with HTTPS=on (if it
>> wishes)
>
> for that you would need to touch each and every application and you have not
> secure way to know for sure if that header is trustable, when mod_remoteip
> is part of the game you even don't know (and should not know) the physical
> connecting IP

I agree with that, "X-Forwarded-Proto or whatever" was meant to say "a
trustable information", and I even agree that's mod_remoteip's job to
give that information.

I just don't think we should make as if httpd were running https (i.e.
for all modules/applications to think it is), but rather give the real
information: trustable remote is running https.

Mime
View raw message