Hi there,
I learned that mod_remoteip does IP address resolution including DNS
when it processes a token from the configured RemoteIPHeader. In the
observed case, two different customers using F5 load balancers had a
numeric IP address in the header which was followed without white space
or separator character by "%N", "N" a number. That thing was said to be
a partition tag. Of course one doesn't want such stuff in
X-Forwarded-For, but mod_remoteip falling back to DNS was a surprise for me.
Although we clearly express in the docs "It is critical to only enable
this behavior from intermediate hosts (proxies, etc) which are trusted
by this server, since it is trivial for the remote useragent to
impersonate another useragent." I would prefer if IP address resolution
with DNS would be configurable - mostly due to performance reasons.
So I think we need a directive for mod_remoteip to enable/disable DNS
lookups.
We also need to decide what to do, if the header value is not a valid
numeric IP address and DNS is turned off. We could fall back to using
the connection IP address and proceed with the request or we could throw
an error like a Bad Request, Forbidden, Internal Server Error or similar.
Something like "RemoteIPLookups (On|Off|NNN)". "On" would be current
behavior, "Off" would be "No DNS and use connection IP if address is
invalid", "NNN" would be "No DNS and return status NNN if address is
invalid". Default "On" or "Off" for 2.4 and "Off" for trunk.
Note that we don't have an "IP address string to numeric IP" conversion
function at hand. APR has apr_inet_pton(), but unfortunately it
currently is not made public via the header files. We could probably
copy it in and make public for future versions.
WDYT?
Rainer
- mod_remoteip DNS address resolution Rainer Jung
-
