httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] .htaccess mixed access based on client-ip/auth
Date Thu, 07 Dec 2006 20:36:05 GMT
On 12/7/06, ara.t.howard@noaa.gov <ara.t.howard@noaa.gov> wrote:

> >> ps.  any thoughts on why 'Allow from x.x.x.x' uses REMOTE_ADDR and not
> >> HTTP_CLIENT_IP?
> >
> > Because HTTP_CLIENT_IP is completely non-standard and could be
> > trivially manipulated by the client in most circumstances?
>
> hmmm.  in this case i'm behind a server iron, so i assume HTTP_CLIENT_IP is
> actually set via the REMOTE_ADDR on __that__ machine.  but the point is well
> taken.

You should be fine if:
1) the proxy clears any existing Client-IP header before setting its own; and
2) the back-end box accepts connections only from the proxy.

(The latter one is a little tricky, since you can't use mod_access to
do this restriction in your current setup.  You'll need to use a
firewall.)

>
> still, i think even REMOTE_ADDR could be spoofed easily couldn't it?

No, it is determined directly from the TCP/IP connection information
which cannot be (easily) spoofed.  The Client-IP is simply a request
header which the client (or proxy) completely controls.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message