perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Wiles <fr...@wiles.org>
Subject Re: Is $ENV{HTTP_X_FORWARDED_HOST} reliable
Date Sat, 17 Dec 2005 23:56:51 GMT
On Sat, 17 Dec 2005 16:51:20 -0600
Boysenberry Payne <boysenberry@humaniteque.com> wrote:

> Hello Everyone,
> 
> 	I'm using a two server system.  Front end Apache 1.33/php4
> uses mod_proxy
> and mod_rewrite to proxy to the back end Apache2/MP2 system.
> 
> 	I was wondering if $ENV{HTTP_X_FORWARDED_HOST} is a reliable
> way to determine the domain of the request; or is it easily spoofed?

  The best way to do this is to use the virtual hosts on the front
  end to your advantage.  So on the front end you "tell" the backend
  which domain it came from: 

  <VirtualHost domain.com:80> 

    ProxyPass /     http://localhost:8080/domain.com/ 
    ProxyPassReverse / http://localhost:8080/domain.com/ 
  </VirtualHost> 

  By passing in the domain this way you can see where it came from.
  I'm sure there are probably a number of other ways to get this done,
  but that was the first that popped into my head. 

  Also, any reason you're writing your own IP restrictions instead of
  just using allow from/deny from in Apache? 

 ---------------------------------
   Frank Wiles <frank@wiles.org>
   http://www.wiles.org
 ---------------------------------


Mime
View raw message