httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Lewis <...@joe-lewis.com>
Subject Re: deny access to unknow IP addresses
Date Mon, 26 Mar 2007 15:04:57 GMT
A proxy does not submit the information about it's client.  Proxies are 
typically used to :

  a) hide client information (e.g. so someone cannot determine network 
topology or design on an internal network)
  b) cache information (opens up the Internet connection for other stuff)
  c) allow IT personnel to track what sites people visit to help stay 
target for legal ramifications or micromanagement

Since proxies do not have to include their client information via any 
header to operate, there is absolutely no way to guarantee that the 
remote IP address on the apache side is accurate.  Apache shouldn't care 
anyway - it is only seeing the connection from the proxy.  Craft your 
configuration carefully.

Joe

devel wrote:
> Well, I  wrote this stupid question:
>   
>> remote_ip always point to IP of client if server know it?
>>     
>
> Really, I want say this, for clients that connect through a proxy. 
> Server always know HTTP_CLIENT_IP but can not know CLIENT_IP if proxy do
> not send it or is false.
>
> Directives of mod_authz_host seems to not include this.
>
> In a case a filter get request before another modules get it, this
> module should terminate connection if proxy do not send it. I do not
> know is this is posible.
>
>
> Thanks Joe. (very patient).
>
>
> El lun, 26-03-2007 a las 07:50 -0600, Joe Lewis escribió: 
>   
>> devel wrote:
>>     
>>> Hello,
>>> In 
>>> conn_rec *connection;
>>> a can see:
>>> char *remote_ip;
>>>
>>> remote_ip always point to IP of client if server know it?
>>>   
>>>       
>> The server will always know the remote IP address - this is because 
>> every TCP connection has two end points, a source address and a 
>> destination.  In order to send packets back to whomever requested the 
>> connection, the source has to be known.  This is placed into the 
>> remote_ip of that record.  (I won't go into the dynamics of NAT and 
>> other network hacks as this is not a TCP/IP discussion arena.)
>>
>> Joachim gave the correct link for documentation on setting up 
>> authorization based on known IP addresses with Apache 2.2.
>>
>> If you must reinvent the wheel, it may be easier to download the Apache 
>> source code and review the mod_authz_host (or appropriate module for 
>> your specific apache version) to familiarize yourself with the code path 
>> of the module.
>>
>> Joe
>>     


-- 
Joseph Lewis <http://sharktooth.org/>
"Divide the fire, and you will sooner put it out." - Publius Syrus

Mime
View raw message