-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Paul,
On 4/30/15 3:24 AM, Paul Klinkenberg wrote: > I never knew the remote_addr could not be trusted, but I believe > you at once when you say so. > > I thought it was taken from the actual socket connection. With the > exception of ajp by the way, where it is programmatically changed > to reflect the remote client while handling the http call. Out of > curiosity, could you shed some light as to why the remote_addr is > not to be trusted in a regular http request? The client can spoof the source IP in the packet headers. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVQjcQAAoJEBzwKT+lPKRY4HEP/30Lih3AbOBVh1fujyoB0fZd tne7zc3bJnrhtwl3f5Je1YlLR+ij545HYlcRTeM6UFlh2k8N7rFTJIPdLlnbt4jC 62FPkmBYZQqtccgv/AP/E+jI75kstAW47LvL4UEOS0p/UwgW2phEN7Ko0SKvaHDk YWj5/LrtCBfsZFLJeGqgcbU2c38BFdBZGS1zWgGgCuz53kH8y1LPKj7zgs0LuDOn IHEFWVcXbUbHqcAS6Cfb6UV4kI1JiSTmtoufaqpcBOQtRG4lVMcrsK3660W8FMXC DercNpofhYIX+E5B19FI1QlYl1dTd4Wz17QTMqsiK1T9qNG5JczYIHi3VX6KGwT9 oj5LO7K0v6E653gQBo+pcIJO6H44xOdg1J/U8rNuyTkfU2Vr+fMOA321kEchRYRj Zb8J7DTtNuHAW5ncwH4YTqvEnbg2p9ZoF9tCB9330u3wdWsVCj/62WX6XT908ElD hs2Z73qhdbm7REu8KPtk9WQkylNhptA6Uxe8ZPBD7jfxGPAR7KvpwwXPV2irhG/e 7Iq8SbmMK9zpI4W6oodjiv+olQmj8qo5tuSrpTbW264GSrioKVZ9jkclxfkzrtuf utdotevKsCAOXQYzhtHcU6NkxUgvZZ76YOBmKBineEmb1ieXQzeQ0PgJdOHXVqpe AYfiVawe60dkGrsKdr5R =9bH5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org