Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 45377 invoked from network); 9 Oct 2009 15:49:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 9 Oct 2009 15:49:50 -0000 Received: (qmail 19652 invoked by uid 500); 9 Oct 2009 15:49:46 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 19613 invoked by uid 500); 9 Oct 2009 15:49:46 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 19598 invoked by uid 99); 9 Oct 2009 15:49:46 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Oct 2009 15:49:46 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [76.96.62.56] (HELO QMTA06.westchester.pa.mail.comcast.net) (76.96.62.56) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Oct 2009 15:49:34 +0000 Received: from OMTA19.westchester.pa.mail.comcast.net ([76.96.62.98]) by QMTA06.westchester.pa.mail.comcast.net with comcast id qaYh1c00527AodY56foTr3; Fri, 09 Oct 2009 15:48:27 +0000 Received: from [192.168.1.64] ([99.141.61.86]) by OMTA19.westchester.pa.mail.comcast.net with comcast id qfv11c00S1reVaT3ffv4Np; Fri, 09 Oct 2009 15:55:08 +0000 Message-ID: <4ACF5B6F.7010603@christopherschultz.net> Date: Fri, 09 Oct 2009 11:49:03 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Cannot set remote address in valve (Tomcat 5.5) References: <4B7A3AA67FB2456E8F477D96BCDBF8FF@ealbek> <6FA924FC646B45319F42E7207C67BC44@ealbek> <4AC5CDF4.1070804@apache.org> <4AC60EE6.50601@christopherschultz.net> <4AC611F4.40405@apache.org> <4AC62F5A.8010601@christopherschultz.net> <4AC63182.1080302@apache.org> <1db564170910080103v3b96c9c2md5cdc397bc408f99@mail.gmail.com> <4ACE767D.6030708@christopherschultz.net> <1db564170910090616p3a4c3ddaqb31bd79c10d52909@mail.gmail.com> In-Reply-To: <1db564170910090616p3a4c3ddaqb31bd79c10d52909@mail.gmail.com> X-Enigmail-Version: 0.97a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cyrille, On 10/9/2009 9:16 AM, Cyrille Le Clerc wrote: > An idea to mitigate this risk is to ask the network team to remove > some http headers at the entry of the platform (x-forwarded-for, > x-forwarded-proto, x-forwarded-... ) This makes a lot of sense, except that there might be some legitimate proxies in the path that shouldn't be removed. >> Uh.... huh? That seems counter-intuitive to trust the first untrusted IP >> address you find. I'll read about mod_remoteip and see what it's all about. > > My mistake, I forgot to mention that it was evaluating from the right > to the left. Aah, that makes more sense. Thanks for the clarification. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrPW28ACgkQ9CaO5/Lv0PA3ogCePMOOeDkuEwYbYdYAVhmKBDG5 t9YAnRVRhuqun7gd8mujA+xV/pFzNc2t =//Jq -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org