httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: mood_remoteip ProxyProtocol addition
Date Tue, 07 Feb 2017 23:01:03 GMT

Am 07.02.2017 um 23:50 schrieb Yann Ylavic:
> On Tue, Feb 7, 2017 at 11:34 PM, Reindl Harald <> wrote:
>> Am 07.02.2017 um 22:53 schrieb Yann Ylavic:
>>> I mean the application can know about "X-Forwarded-Proto or whatever"
>>> header, it could act with it like it does with HTTPS=on (if it
>>> wishes)
>> for that you would need to touch each and every application and you have not
>> secure way to know for sure if that header is trustable, when mod_remoteip
>> is part of the game you even don't know (and should not know) the physical
>> connecting IP
> I agree with that, "X-Forwarded-Proto or whatever" was meant to say "a
> trustable information", and I even agree that's mod_remoteip's job to
> give that information.
> I just don't think we should make as if httpd were running https (i.e.
> for all modules/applications to think it is), but rather give the real
> information: trustable remote is running https

with a wayback machine this would be pretty cool, but whatever you do at 
this point in time needs to

a) get implemented in the tls offlaoding software
b) get implemented in the backend-server (httpd)
c) get implemented in each and every web application

while a) and b) are realistic in a mid-term timeframe c) is not and 
additionally c) needs to to it secure

to do it secure is even a real problem

how can you trust as a php application developer that 
"X-Forwarded-Proto" is trustable and not from the enduser client at all 
- for REMOTE_ADDR you don't consider "X-Forwarded-For" exactly for that 

when mod_remoteip is in place "X-Forwarded-For" contains only untrusted 
informations and the ip of your own proxy is ripped out of that header

without mod_remoteip you get unfiltered whatever came over the wire and 
you have no idea within the php application if you are behind a proxy at 

at least not trusted one and even if httpd promises in a later version 
that you don't get that header from untrusted sources you have no idea 
if the httpd on your hoster has that promise (LTS distributions with no 
real versions) and there are other webservers too

hence application developers are advised making no decisions based on 
that header - i would find it questionable having a "X-Forwarded-Proto" 
where you have to deal with in the application and "X-Forwarded-For" 
where you *must not* process it for security reasons

View raw message