httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ara.t.how...@noaa.gov
Subject Re: [users@httpd] .htaccess mixed access based on client-ip/auth
Date Thu, 07 Dec 2006 21:26:52 GMT
On Thu, 7 Dec 2006, Joshua Slive wrote:

> You should be fine if:
> 1) the proxy clears any existing Client-IP header before setting its own; and
> 2) the back-end box accepts connections only from the proxy.
>
> (The latter one is a little tricky, since you can't use mod_access to
> do this restriction in your current setup.  You'll need to use a
> firewall.)

ok.  i'm sure of 2 but not one.  i'll verify  on 1.  thanks.

>> 
>> still, i think even REMOTE_ADDR could be spoofed easily couldn't it?
>
> No, it is determined directly from the TCP/IP connection information which
> cannot be (easily) spoofed.  The Client-IP is simply a request header which
> the client (or proxy) completely controls.

ok.  i'm understanding correclty then - spoofing remote_addr would most likely
involve packet wrapping.  i'm not sure that would be consider 'hard' - but it
is indeed harder than setting headers.

thanks for the info!

-a
-- 
if you want others to be happy, practice compassion.
if you want to be happy, practice compassion.  -- the dalai lama

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message