Hold on a second.
That's still not going to be a good spoof because you also would check
REMOTE_CLIENT as usual, and expect to always see your front-end's IP
there, so Randal's example isn't completely accurate, since you'll see
the real client's IP there and thus know not to trust the
X-Forwarded-For header. What you really want to check is what the
front-end does if there's already an X-Forwarded-For header. If it
overwrites it, you should be fine.
Issac
Randal L. Schwartz wrote:
>>>>>> "Boysenberry" == Boysenberry Payne <[EMAIL PROTECTED]> writes:
>
> Boysenberry> I'm using a two server system. Front end Apache 1.33/php4
> Boysenberry> uses mod_proxy
> Boysenberry> and mod_rewrite to proxy to the back end Apache2/MP2 system.
>
> Boysenberry> I was wondering if $ENV{HTTP_X_FORWARDED_HOST} is a reliable way
> Boysenberry> to determine the domain of the request; or is it easily spoofed?
>
> telnet your.server.example.com 80
> GET /some/url HTTP/1.0
> X-forwarded-for: some-other-host
> CR
> CR
>
> Yeah, that's tough to spoof. :)
>
