[TYPO3-dev] Reinventing getIndpEnv() to support reverse proxys + SSL proxys

Henning Pingel henning at typo3.org
Mon Feb 18 08:26:25 CET 2008 

Hi Masi,

Am 16.02.2008 17:27 schrieb Martin Kutschker:
> Quite a number of options. But to me at least three of them are access
> control settings, which have little to with the proxy:
> 
> revProxy_limitUserAccessByIP
> revProxy_validUserIPs
> 
> And I wonder why you have them. I didn't use it but AFAIK TYPO3 already
> has an IP check for BE users.

Yeah, you are right. 'revProxy_limitUserAccessByIP' and
'revProxy_validUserIPs' are not necessary then, that should be handled
using the already existing functionality instead.

> revProxy_forceBackendAccessViaProxy
> 
> This is interesting, but probably doesn't belong to getIndpEnv(). I
> didn't look at your code, but you'll probably have added a TYPO_PROXY
> variable similar to TYPO3_SSL, right?

Not yet, but this would be necessary to somehow let TYPO3 know what's
going on. Having TYPO_PROXY sounds nice to me.

> revProxy_validProxyHostNameList
> revProxy_validProxyIPList
> 
> Why two of them? Isn't the IP list enough?

For security reasons, IP checks are necessary, but host name checks are
not that important, I just thought, it would add an extra percent of
security to check a value that can only have a certain value and could
be spoofed by somebody (in case of an SSL proxy, where the website
normally can be accessed in two ways: Just via ordinary HTTP or using
HTTPS via the proxy.

In case somebody would expect the proxie's host name in
TYPO3_PROXY_HOST, then it would be necessary to check the value against
a white list to make sure it doesn't contain stupid things.

I have to check if it is necessary when using [SYS][cookieDomain].
But generally, you are right, revProxy_validProxyHostNameList doesn't
seems to be necessary.

> revProxy_approveProxyRequests
> 
> I don't get the meaning of this one.

This is just a general switch to turn proxy support on and off. The name
might be misleading. If it's false the typical  HTTP_X_FORWARDED_....
headers that are sent by a proxy are ignored:

I really like this discussion. It helps a lot to talk about things to
find the best solution. Thanks!

Cheers,
Henning

More information about the TYPO3-dev mailing list