[TYPO3-core] RFC: Fix bug #7397: Proxy servers replace REMOTE_ADDR with their own IP
Martin Kutschker
martin.t.kutschker at n0spam.blackbox.net
Thu Feb 21 21:10:57 CET 2008
Martin Kutschker schrieb:
> Michael Stucki schrieb:
>> This is a SVN patch request.
>>
>> Problem:
>> When requesting the clients REMOTE_ADDR, it can happen that there is a
>> proxy
>> in between server and client, which replaces the value with his own
>> IP, and puts the original IP in HTTP_X_FORWARDED_FOR instead.
It's not clearly stated here and in the bug report, but generally we
only want to handle well-know reverse proxies. Anything else would be a
security risk.
>> Solution:
>> Add a new configuration option to send HTTP_X_FORWARDED_FOR when
>> requesting the REMOTE_ADDR.
>
> Here's a new patch. This one is more secure as it ties TYPO3 to a set of
> know proxies. Furthermore you may define that one or more proxies use
> SSL in connection to the Internet. And additionally it's possibly to add
> a prefix for http and https proxies in case there is a (weird) path
> changing proxy setup in place (seems to be the case with some mass
> SSL-BE hosters).
The 3rd version uses now SYS[reverseProxy*] to signify more the real usage.
It also has now a config that defines how to deal with multiple values
in HTTP_X_FORWARDED_FOR/HTTP_X_FORWARDED_HOST. Possible options to use
the first, the last or none. None is the default.
> What the patch doesn't do is taking care of possible part problems. I
> guess it's possible that the proxy uses 80, but the internal server uses
> a non-standard port. This will probably lead to troubles.
Still not handled.
Masi
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: bug_7397_v3.diff
Url: http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20080221/24947abd/attachment.txt
More information about the TYPO3-team-core
mailing list