You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2009/02/27 22:07:35 UTC
svn commit: r748698 - /httpd/sandbox/mod_remoteip/README
Author: wrowe
Date: Fri Feb 27 21:07:34 2009
New Revision: 748698
URL: http://svn.apache.org/viewvc?rev=748698&view=rev
Log:
more thoughts
Modified:
httpd/sandbox/mod_remoteip/README
Modified: httpd/sandbox/mod_remoteip/README
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/README?rev=748698&r1=748697&r2=748698&view=diff
==============================================================================
--- httpd/sandbox/mod_remoteip/README (original)
+++ httpd/sandbox/mod_remoteip/README Fri Feb 27 21:07:34 2009
@@ -57,3 +57,35 @@
* http://meta.wikimedia.org/wiki/XFF_project
+
+
+There is a second tier of issues. We may wish to recognize private IP
+addresses, but only when presented by a specific private proxy or group of
+private proxies. E.g. one or more intranets may be of interest, but on balance
+most are not, even coming from otherwise trusted public proxies. RFC 1918
+defines these as 10./8, 172.16./12 and 192.168./16, and even 127./8 may be
+of interest for purposes of testing or remoting one particular box.
+
+If a given proxy is trusted, but not one of our private proxies, and indicates
+that its immediate X-Forwarded-For pointer is within a private subnet, that
+translation should not occur, and the proxy itself should be treated as the
+client remote IP.
+
+There is another option that presents itself as suggested by the XFF_project
+crew, which is to create a representation of the IP as {private}-via-{public}
+resolutions, which could serve as a uniquifier within the private domain for
+various bandwidth and access control purposes. That's pretty far down in the
+TODO, as it requires some different (and possibly unexpected) handling of the
+conn_rec fields. Because the representation of conn_rec->remote_ip in the
+private address space is often used, e.g. for Allow from 10. syntax to protect
+intranet resources, some other representation in remote_ip must be used.
+
+
+Additional security considerations;
+
+ * Trust is absolute. If the trusted proxy is subject to an MITM attack,
+ or blindly trusts a request X-Forwarded-For field without appending its
+ own address, the server will falsely evaluate such a chain.
+
+
+
\ No newline at end of file