[TYPO3-dev] Reinventing getIndpEnv() to support reverse proxys + SSL proxys
Henning Pingel
henning at typo3.org
Mon Feb 18 08:26:25 CET 2008
Hi Masi,
Am 16.02.2008 17:27 schrieb Martin Kutschker:
> Quite a number of options. But to me at least three of them are access
> control settings, which have little to with the proxy:
>
> revProxy_limitUserAccessByIP
> revProxy_validUserIPs
>
> And I wonder why you have them. I didn't use it but AFAIK TYPO3 already
> has an IP check for BE users.
Yeah, you are right. 'revProxy_limitUserAccessByIP' and
'revProxy_validUserIPs' are not necessary then, that should be handled
using the already existing functionality instead.
> revProxy_forceBackendAccessViaProxy
>
> This is interesting, but probably doesn't belong to getIndpEnv(). I
> didn't look at your code, but you'll probably have added a TYPO_PROXY
> variable similar to TYPO3_SSL, right?
Not yet, but this would be necessary to somehow let TYPO3 know what's
going on. Having TYPO_PROXY sounds nice to me.
> revProxy_validProxyHostNameList
> revProxy_validProxyIPList
>
> Why two of them? Isn't the IP list enough?
For security reasons, IP checks are necessary, but host name checks are
not that important, I just thought, it would add an extra percent of
security to check a value that can only have a certain value and could
be spoofed by somebody (in case of an SSL proxy, where the website
normally can be accessed in two ways: Just via ordinary HTTP or using
HTTPS via the proxy.
In case somebody would expect the proxie's host name in
TYPO3_PROXY_HOST, then it would be necessary to check the value against
a white list to make sure it doesn't contain stupid things.
I have to check if it is necessary when using [SYS][cookieDomain].
But generally, you are right, revProxy_validProxyHostNameList doesn't
seems to be necessary.
> revProxy_approveProxyRequests
>
> I don't get the meaning of this one.
This is just a general switch to turn proxy support on and off. The name
might be misleading. If it's false the typical HTTP_X_FORWARDED_....
headers that are sent by a proxy are ignored:
I really like this discussion. It helps a lot to talk about things to
find the best solution. Thanks!
Cheers,
Henning
More information about the TYPO3-dev
mailing list