Hello Everyone,
I'm using a two server system. Front end Apache 1.33/php4 uses
mod_proxy
and mod_rewrite to proxy to the back end Apache2/MP2 system.
I was wondering if $ENV{HTTP_X_FORWARDED_HOST} is a reliable way
to determine the domain of the request; or is it easily spoofed?
I'm hoping to use a combination of IP screening like this:
<snip>
#
# handler for PerlPreConnectionHandler
#
sub handler {
my Apache2::Connection $c = shift;
my $ip = $c->remote_ip;
if( $good_ips{$ip} ) {
return Apache2::Const::OK;
}
warn "IP $ip tried to access perl\n";
return Apache2::Const::FORBIDDEN;
}
</snip>
where %good_ips is predefined.
With a domain/user name match where the domain is
being derived from $ENV{HTTP_X_FORWARDED_HOST}.
In order for it to work correctly I would need to know both the
IP and Domain were correct. Is there any inherent risk with
the way I'm getting the information? The user name is the only
risk I'm willing to risk, which comes from an .htaccess file where
the proxy is called.
TIA,
Boysenberry
boysenberrys.com | habitatlife.com | selfgnosis.com
