httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: mood_remoteip ProxyProtocol addition
Date Tue, 07 Feb 2017 22:34:34 GMT


Am 07.02.2017 um 22:53 schrieb Yann Ylavic:
> On Tue, Feb 7, 2017 at 10:14 PM, Jordan Gigov <coladict@gmail.com> wrote:
>> On 7 February 2017 at 22:33, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>>> I'm a bit reluctant with these patches, and probably need to be
>>> convinced this isn't an application issue in the first place (why not
>>> use X-Forwarded-Proto or alike to achieve the same? i.e. generate
>>> https links...), or an SSL endpoint issue (why not rewrite URLs or
>>> alike there?).
>> It can be X-Forwarded-Proto or whatever you set it to with my patch
>> (for the standard method of proxying).
>> I can't speak to the ProxyProtocol one.
>>
>> I also don't see what you mean by an "application issue".
>
> I mean the application can know about "X-Forwarded-Proto or whatever"
> header, it could act with it like it does with HTTPS=on (if it
> wishes)

for that you would need to touch each and every application and you have 
not secure way to know for sure if that header is trustable, when 
mod_remoteip is part of the game you even don't know (and should not 
know) the physical connecting IP

and so when you write a application to directly proceed that header you 
make your application vulnerable in every environment where the outside 
client fakes that header

dealing with it the same way as for REMOTE_ADDR would make it 100% 
transparent for the application and it would only trigger if the admin 
configured the underlying server as he does with mod_remoteip's 
"RemoteIPInternalProxy"

it's not a application issue - the application must not know anything 
about infrastructure decisions - it's the job of the underlying 
infrastructure

Mime
View raw message