Re: deny access to unknow IP addresses

Mon, 26 Mar 2007 07:05:43 -0800

A proxy does not submit the information about it's client. Proxies are typically used to :
a) hide client information (e.g. so someone cannot determine network topology or design on an internal network) 
 b) cache information (opens up the Internet connection for other stuff)
c) allow IT personnel to track what sites people visit to help stay target for legal ramifications or micromanagement 


Since proxies do not have to include their client information via any 
header to operate, there is absolutely no way to guarantee that the 
remote IP address on the apache side is accurate.  Apache shouldn't care 
anyway - it is only seeing the connection from the proxy.  Craft your 
configuration carefully.


Joe

devel wrote:

Well, I  wrote this stupid question:

  

remote_ip always point to IP of client if server know it?

    



Really, I want say this, for clients that connect through a proxy. 
Server always know HTTP_CLIENT_IP but can not know CLIENT_IP if proxy do

not send it or is false.

Directives of mod_authz_host seems to not include this.

In a case a filter get request before another modules get it, this
module should terminate connection if proxy do not send it. I do not
know is this is posible.


Thanks Joe. (very patient).



El lun, 26-03-2007 a las 07:50 -0600, Joe Lewis escribió: 
  

devel wrote:

    

Hello,

In 
conn_rec *connection;

a can see:
char *remote_ip;

remote_ip always point to IP of client if server know it?

  
      

The server will always know the remote IP address - this is because 
every TCP connection has two end points, a source address and a 
destination.  In order to send packets back to whomever requested the 
connection, the source has to be known.  This is placed into the 
remote_ip of that record.  (I won't go into the dynamics of NAT and 
other network hacks as this is not a TCP/IP discussion arena.)



Joachim gave the correct link for documentation on setting up 
authorization based on known IP addresses with Apache 2.2.



If you must reinvent the wheel, it may be easier to download the Apache 
source code and review the mod_authz_host (or appropriate module for 
your specific apache version) to familiarize yourself with the code path 
of the module.


Joe

    



--
Joseph Lewis <http://sharktooth.org/>
"Divide the fire, and you will sooner put it out." - Publius Syrus






















					Reply via email to