httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: mod_remoteip and mod_http2 combined
Date Sat, 01 Apr 2017 13:56:24 GMT
Sorry for the top post. I've committed r1789800 which pulls out Optional
handling and adds the ability to disable based on source network. This
is more or less the code as it was donated, plus some cleanup and the
small addition to disable based on networks (overall a cleaner approach
anyway). I went with the directive name
RemoteIPProxyProtocolDisableHosts to align more with the fact that a
single host or range can be disabled. I've verified this works via
haproxy, rejects when hit directly and disables processing when coming
from a permitted network.

I'm in the process of updating the backport proposal. To be safe, I'm
removing @jim's vote given how many times the code has changed since he
reviewed and will put it back in the "active" section of STATUS.

-- 
Daniel Ruggeri

On 4/1/2017 8:17 AM, Daniel Ruggeri wrote:
> Agreed - as many times as I read the spec, I have no idea how I did not
> see that security advisory.  It's flat-out damning to the idea of an
> "optional" mode. I'll go ahead and rip out the optional processing and
> will add your suggested idea of a list of subnets to disable parsing. I
> hope to have a patch later this morning to share. As awful as the name
> is, I'm thinking RemoteIPProxyProtocolDisableNetworks ARG1 ARG2 ARG3.
>


Mime
View raw message