On wo, 2017-07-12 at 15:56 +0300, Maxim Dounin wrote: > On Wed, Jul 12, 2017 at 02:08:31PM +0200, Kees Bos wrote: > On di, 2017-07-11 at 18:12 +0300, Maxim Dounin wrote: > > > On Fri, Jul 07, 2017 at 03:38:02PM +0200, Kees Bos wrote: > > > 2. It unconditionally trusts all clients who can connect to the > > > port in question. This doesn't look wise. > > I'm not sure what you mean here. > > > > There's no way to verify the correctness of the proxy protocol > > (that's > > also true so for the http/stream implementation). If a proxy > > protocol > > claims to originate from 1.1.1.1:1 and that the connection was > > originally to 2.2.2.2:2 the listener has no way to know that that's > > correct (or not). > Obviously enough, you can't verify the information provided. But > you can trust or do not trust to the particular client. For > example, in the ngx_http_realip_module this is done using the > set_real_ip_from directive (http://nginx.org/r/set_real_ip_from) - > you can explicitly configure address blocks you want to allow to > set client's address based on the provided header or PROXY > protocol.
Yes. That's clear. Now (I think) I understand what you mean. > > The link I've provided in the previous message contains an example > with set_real_ip_from as part of the review. > _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
