[TYPO3-dev] Reinventing getIndpEnv() to support reverse proxys + SSL proxys

[Martin Kutschker]

Henning Pingel schrieb:
> 
>> revProxy_validProxyHostNameList
>> revProxy_validProxyIPList
>>
>> Why two of them? Isn't the IP list enough?
> 
> For security reasons, IP checks are necessary,

Right, I have them too.

> but host name checks are
> not that important, I just thought, it would add an extra percent of
> security to check a value that can only have a certain value and could
> be spoofed by somebody (in case of an SSL proxy, where the website
> normally can be accessed in two ways: Just via ordinary HTTP or using
> HTTPS via the proxy.
> In case somebody would expect the proxie's host name in
> TYPO3_PROXY_HOST, then it would be necessary to check the value against
> a white list to make sure it doesn't contain stupid things.

I fear I still not get when I should check the name of the proxy.

>> revProxy_approveProxyRequests
>>
>> I don't get the meaning of this one.
> 
> This is just a general switch to turn proxy support on and off. The name
> might be misleading. If it's false the typical  HTTP_X_FORWARDED_....
> headers that are sent by a proxy are ignored:

Ah. My implementation is simply triggered by revProxy_validProxyIPList. If 
anythings inside (and the IP check matches) then I check for 
HTTP_X_FORWARDED_*.

Masi