tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henri Gomez <henri.go...@gmail.com>
Subject Re: RemoteIpValve advices
Date Mon, 31 Jan 2011 21:54:14 GMT
> Not necessarily.  The closest immediate proxy is the last entry in that
> list.  You might not trust all of the machines in that proxy chain to provide
> legitimate IP details.

In my case, x-forwarded-for: 1.2.3.4, 10.122.47.36, 1.2.3.4 was my
browser IP and 10.122.47.36 EC2 IP.

the Valve is not activated by default and should only be used in
Amazon Load Balancing case.

> mod_remoteip has the concept of trusted vs. untrusted proxies, where only the
> trusted ones will be allowed to present the next-immediate-left IP address as
> a legitimate proxy address, and that IP is then compared to the trust list.

> So you might trust yahoo or google's proxy servers, but not your typically
> pwned user PC which is relaying spam or being employed as a DDoS agent.

x-forwarded-server: domU-12-31-38-00-B2-08.compute-1.internal is a
trusted server, aka EC2 box.

So +1 to have this on RemoteIpFilter/Valve, an uniq filter/valve to
handle such cases.
Mark to you need code contribution on RemoteIp Valve ?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message