On Thursday 17 July 2003 04:23, you wrote:
You always want more choice and flexibility, not less ...
i always wanted to make my life less complicated, not more.
but as I pointed out before, changing the applications concept of "the far end" to give you the semantics you want will reduce the usefulness of that function for other users - you're throwing out information (the actual endpoint of the TCP connection) and replacing it with something that is already knowable, is less trustworthy, is less well defined, and is less useful for servers that are not behind a reverse proxy.
by all means, have the option to sniff X-Forwared-For as a configurable parameter, but the default behaviour should not be to throw away information that the application may want to know...
here's a simple example of why you'd want to know and log the actual endpoint - you're running a server, not behind a reverse proxy, that is having it's passwords brute-forced over the network... a single user runs a script to try name/password pairs out of a dictionary, and sends a randomised X-Forwarded-For header with every one... you see many failed logins from many IP addresses, but have to resort to snoop/netstat to find the actual address of the miscreant... If [ns_conn peeraddr] and the access-log behave as they should, you see many failed logins from a single IP, which you can then easily filter out with [ns_conn peeraddr]...
russell muetzelfeldt <[EMAIL PROTECTED]>
"Never offend people with style when you can offend them with substance." --Sam Brown
-- AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
