feature proposal

[Jie Gao <J....@isu.usyd.edu.au>]

Hi All,

Apache is already passing client IP addr to the backend server via a
mechanism of headers:

X-Forwarded-For
X-Forwarded-Host
X-Forwarded-Server

The difficulty is that very often the backend server is an Apache
server from a vendor, and any changes to the server will void support.
There are also circumstances in which you simply can't re-recompile
it.

It would be very helpful if Apache has configuration directives in the
core to get those headers (with conditions) in the server configuration
so that acl and logging based on the "real" IP addresses can work.

Thanks very much,



Jie

Re: feature proposal

[Jie Gao <J....@isu.usyd.edu.au>]

On Tue, 15 Mar 2005, Joshua Slive wrote:

> Date: Tue, 15 Mar 2005 08:48:35 -0500
> From: Joshua Slive <jo...@slive.ca>
> Reply-To: dev@httpd.apache.org
> To: dev@httpd.apache.org
> Subject: Re: feature proposal
>
> Jie Gao wrote:
>
> > Yes, there is a security concern with that setup. I can only trust
> > X-Forwarded-For when the request is proxied from my front-end server.
>
> In addition to DW's suggestion, mod_rewrite could easily do this type of
> conditional check.
>
> >
> > Really, to think of it, this feature is a bit tricky to add: on the one
> > hand, Apache knows who it is talking to and on the other hand, it needs
> > to let the acl mechanism know the client is really another one.
>
> Which is exactly the reason this shouldn't be a core feature.  Getting
> the security right is tricky, and would probably be impossible to do in
> a general way (without knowledge of the specific forwarding setup).
>
> >>is probably a module that will do it for you, however.
> >
> >
> > I could write the module myself, but the point is I cannot touch (read:
> > recompile) the backend server
>
> But if you have mod_so, you don't need to recompile the server.

The vendors won't give you any info how their apache is configured/compiled:
They won't give you apxs.

Regards,



Jie

Re: feature proposal

[Joshua Slive <jo...@slive.ca>]

Jie Gao wrote:

> Yes, there is a security concern with that setup. I can only trust
> X-Forwarded-For when the request is proxied from my front-end server.

In addition to DW's suggestion, mod_rewrite could easily do this type of 
conditional check.

> 
> Really, to think of it, this feature is a bit tricky to add: on the one
> hand, Apache knows who it is talking to and on the other hand, it needs
> to let the acl mechanism know the client is really another one.

Which is exactly the reason this shouldn't be a core feature.  Getting 
the security right is tricky, and would probably be impossible to do in 
a general way (without knowledge of the specific forwarding setup).

>>is probably a module that will do it for you, however.
> 
> 
> I could write the module myself, but the point is I cannot touch (read:
> recompile) the backend server

But if you have mod_so, you don't need to recompile the server.

Joshua.

Re: feature proposal

[Dirk-Willem van Gulik <di...@webweaving.org>]

On Tue, 15 Mar 2005, Jie Gao wrote:

> Yes, there is a security concern with that setup. I can only trust
> X-Forwarded-For when the request is proxied from my front-end server.

Which of course would then be the -ideal- place to do this access control;
i.e. keep it completely out of your system. And if it is truly bad
something on IP level makes mroe sense.

Alternatively -always- unset and set the header to something (say
'unchecked'- and only set it to 'badguy' when it is one as to overwrite
any incoming headers.

DW

Re: feature proposal

[Jie Gao <J....@isu.usyd.edu.au>]

On Mon, 14 Mar 2005, Joshua Slive wrote:

> Date: Mon, 14 Mar 2005 22:20:39 -0500
> From: Joshua Slive <jo...@slive.ca>
> Reply-To: dev@httpd.apache.org
> To: dev@httpd.apache.org
> Subject: Re: feature proposal
>
>
> On Tue, 15 Mar 2005 13:25:52 +1100 (EST), "Jie Gao"
> <J....@isu.usyd.edu.au> said:
> > Hi All,
> >
> > Apache is already passing client IP addr to the backend server via a
> > mechanism of headers:
> >
> > X-Forwarded-For
> > X-Forwarded-Host
> > X-Forwarded-Server
> >
> > The difficulty is that very often the backend server is an Apache
> > server from a vendor, and any changes to the server will void support.
> > There are also circumstances in which you simply can't re-recompile
> > it.
> >
> > It would be very helpful if Apache has configuration directives in the
> > core to get those headers (with conditions) in the server configuration
> > so that acl and logging based on the "real" IP addresses can work.
>
> You can do this already, with a tiny bit of work.
>
> For the logs, replace %h with %{X-Forwarded-For}i in your LogFormat.
>
> For access restrictions
> SetEnvIf X-Forwarded-For ^123\.456\.789\.123$ badguy
> Order allow,deny
> Allow from all
> Deny from env=badguy
>
> Not quite as simple and flexible (you can't do reverse lookups on IPs,
> for example), but it seems to me that making it easy to simply replace
> REMOTE_HOST with X-Forwarded-For could lead to security problems.  There

Yes, there is a security concern with that setup. I can only trust
X-Forwarded-For when the request is proxied from my front-end server.

Really, to think of it, this feature is a bit tricky to add: on the one
hand, Apache knows who it is talking to and on the other hand, it needs
to let the acl mechanism know the client is really another one.

> is probably a module that will do it for you, however.

I could write the module myself, but the point is I cannot touch (read:
recompile) the backend server

Regards,


Jie

Re: feature proposal

[Joshua Slive <jo...@slive.ca>]

On Tue, 15 Mar 2005 13:25:52 +1100 (EST), "Jie Gao"
<J....@isu.usyd.edu.au> said:
> Hi All,
> 
> Apache is already passing client IP addr to the backend server via a
> mechanism of headers:
> 
> X-Forwarded-For
> X-Forwarded-Host
> X-Forwarded-Server
> 
> The difficulty is that very often the backend server is an Apache
> server from a vendor, and any changes to the server will void support.
> There are also circumstances in which you simply can't re-recompile
> it.
> 
> It would be very helpful if Apache has configuration directives in the
> core to get those headers (with conditions) in the server configuration
> so that acl and logging based on the "real" IP addresses can work.

You can do this already, with a tiny bit of work.

For the logs, replace %h with %{X-Forwarded-For}i in your LogFormat.

For access restrictions
SetEnvIf X-Forwarded-For ^123\.456\.789\.123$ badguy
Order allow,deny
Allow from all
Deny from env=badguy

Not quite as simple and flexible (you can't do reverse lookups on IPs,
for example), but it seems to me that making it easy to simply replace
REMOTE_HOST with X-Forwarded-For could lead to security problems.  There
is probably a module that will do it for you, however.

Joshua.
-- 
Joshua Slive
joshua@slive.ca