On 12/7/06, ara.t.howard@xxxxxxxx <ara.t.howard@xxxxxxxx> wrote:
>> ps. any thoughts on why 'Allow from x.x.x.x' uses REMOTE_ADDR and not >> HTTP_CLIENT_IP? > > Because HTTP_CLIENT_IP is completely non-standard and could be > trivially manipulated by the client in most circumstances? hmmm. in this case i'm behind a server iron, so i assume HTTP_CLIENT_IP is actually set via the REMOTE_ADDR on __that__ machine. but the point is well taken.
You should be fine if: 1) the proxy clears any existing Client-IP header before setting its own; and 2) the back-end box accepts connections only from the proxy. (The latter one is a little tricky, since you can't use mod_access to do this restriction in your current setup. You'll need to use a firewall.)
still, i think even REMOTE_ADDR could be spoofed easily couldn't it?
No, it is determined directly from the TCP/IP connection information which cannot be (easily) spoofed. The Client-IP is simply a request header which the client (or proxy) completely controls. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|