Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 45141 invoked from network); 7 Dec 2006 21:38:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 7 Dec 2006 21:38:12 -0000 Received: (qmail 86976 invoked by uid 500); 7 Dec 2006 21:38:08 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 86942 invoked by uid 500); 7 Dec 2006 21:38:08 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 86902 invoked by uid 99); 7 Dec 2006 21:38:07 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Dec 2006 13:38:07 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of jslive@gmail.com designates 66.249.82.234 as permitted sender) Received: from [66.249.82.234] (HELO wx-out-0506.google.com) (66.249.82.234) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 Dec 2006 13:37:56 -0800 Received: by wx-out-0506.google.com with SMTP id h26so677165wxd for ; Thu, 07 Dec 2006 13:37:36 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=P3LB/fr69KEDgNiXxub5mofyI8Qeyaum7OY5Crv8QAswe5mIpJtTGlEJkN11jCZC7vO1OfmawSm3jewSuxrJRmdK1w/2uKXMpmm4clzto7kQXkVUsov5iAeVBe1Xv2kzNdU9KOCuxdc3BiGSB/bYY8NXI1eMAoE3rfeGYKm7ozM= Received: by 10.70.15.15 with SMTP id 15mr4445940wxo.1165527454221; Thu, 07 Dec 2006 13:37:34 -0800 (PST) Received: by 10.70.20.4 with HTTP; Thu, 7 Dec 2006 13:37:34 -0800 (PST) Message-ID: Date: Thu, 7 Dec 2006 16:37:34 -0500 From: "Joshua Slive" Sender: jslive@gmail.com To: users@httpd.apache.org, ara.t.howard@noaa.gov In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Google-Sender-Auth: 0e0a12e314daf3dc X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] .htaccess mixed access based on client-ip/auth On 12/7/06, ara.t.howard@noaa.gov wrote: > >> still, i think even REMOTE_ADDR could be spoofed easily couldn't it? > > > > No, it is determined directly from the TCP/IP connection information which > > cannot be (easily) spoofed. The Client-IP is simply a request header which > > the client (or proxy) completely controls. > > ok. i'm understanding correclty then - spoofing remote_addr would most likely > involve packet wrapping. i'm not sure that would be consider 'hard' - but it > is indeed harder than setting headers. I'm not sure what you mean by "packet wrapping". But in general, it is hard to lie about the source IP address if you want to get a response from the server and are not on the same local network. (It is much easier if you are just doing a denial of service attack and hence don't care if you ever see a response.) Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org