tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cyrille Le Clerc <clecl...@xebia.fr>
Subject Re: Cannot set remote address in valve (Tomcat 5.5)
Date Fri, 09 Oct 2009 16:48:06 GMT
Hello Christopher,


> > An idea to mitigate this risk is to ask the network team to remove
> > some http headers at the entry of the platform (x-forwarded-for,
> > x-forwarded-proto, x-forwarded-... )
>
> This makes a lot of sense, except that there might be some legitimate
> proxies in the path that shouldn't be removed.

My idea was to cleanup headers just at the entrance of the data
center. Indeed, intermediate proxies cannot cleanup headers ;
otherwise, information can be lost.

> >> Uh.... huh? That seems counter-intuitive to trust the first untrusted IP
> >> address you find. I'll read about mod_remoteip and see what it's all about.
> >
> > My mistake, I forgot to mention that it was evaluating from the right
> > to the left.
>
> Aah, that makes more sense. Thanks for the clarification.

I hope one day, I will find time to blog about it with clear schemas ;
it will be much more easy to understand than long sentences :-)


Cyrille
--
Cyrille Le Clerc
cleclerc@xebia.fr cyrille@cyrilleleclerc.com
http://blog.xebia.fr

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message