On Thu, 7 Dec 2006, Joshua Slive wrote:
You should be fine if: 1) the proxy clears any existing Client-IP header before setting its own; and 2) the back-end box accepts connections only from the proxy. (The latter one is a little tricky, since you can't use mod_access to do this restriction in your current setup. You'll need to use a firewall.)
ok. i'm sure of 2 but not one. i'll verify on 1. thanks.
still, i think even REMOTE_ADDR could be spoofed easily couldn't it?No, it is determined directly from the TCP/IP connection information which cannot be (easily) spoofed. The Client-IP is simply a request header which the client (or proxy) completely controls.
ok. i'm understanding correclty then - spoofing remote_addr would most likely involve packet wrapping. i'm not sure that would be consider 'hard' - but it is indeed harder than setting headers. thanks for the info! -a -- if you want others to be happy, practice compassion. if you want to be happy, practice compassion. -- the dalai lama --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|