Hello Christopher,
> > An idea to mitigate this risk is to ask the network team to remove > > some http headers at the entry of the platform (x-forwarded-for, > > x-forwarded-proto, x-forwarded-... ) > > This makes a lot of sense, except that there might be some legitimate > proxies in the path that shouldn't be removed. My idea was to cleanup headers just at the entrance of the data center. Indeed, intermediate proxies cannot cleanup headers ; otherwise, information can be lost. > >> Uh.... huh? That seems counter-intuitive to trust the first untrusted IP > >> address you find. I'll read about mod_remoteip and see what it's all about. > > > > My mistake, I forgot to mention that it was evaluating from the right > > to the left. > > Aah, that makes more sense. Thanks for the clarification. I hope one day, I will find time to blog about it with clear schemas ; it will be much more easy to understand than long sentences :-) Cyrille -- Cyrille Le Clerc clecl...@xebia.fr cyri...@cyrilleleclerc.com http://blog.xebia.fr --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
