httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matus UHLAR - fantomas <uh...@fantomas.sk>
Subject Re: [users@httpd] X_FORWARDED_FOR, squid and apache IP cheating
Date Fri, 30 May 2008 07:54:09 GMT
On 23.05.08 21:12, howard chen wrote:
> This is my current setup in using squid3 as reverse proxy in front of
> apache:
> 
> browser (e.g. 202.182.201.3) <----> squid3 stable6 <----> apache 1.3.37
> (PHP)
> 
> My PHP will get the user IP by HTTP_X_FORWARDED_FOR pass by squid.
> 
> Now the problem is:
> 
> 1. if user send a request already contains header of
> "X_FORWARDED_FOR", Apache will ignore the value set by Squid and will
> use the client one,
> so my program will be cheated by the client as the IP can be any
> specified by client.

the squid will modify x-forwarded-for and add its own IP to it, so apache
and scripts will get list of all IPs there. You can always configure your
script only to trust your squid when resolving x-forwarded-for or configure
squid to throw that header received from client.

Squid has nice X-Forwarded-For processing and trusted path configuration -
look at its config to see how it does that. You can to it the same way.

> This only occur in Apache 1.x but not Apache 2.x

wow

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese. 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message