On Saturday 19 July 2003 18:30, you wrote:
> Nate, while you and I were talking, Gustaf actually suggested exactly
> the same thing to the mailing list in an previous email.
>
> At this point, does anyone see a problem with "ns_conn clientaddr"?
> Obviously, forgery of the X-Forwarded-For header is going to be an
> issue. Configuring an optional whitelist of peeraddrs to trust would be
> neat (only look for the X-Forwarded-For header if the peeraddr belongs
> to a list of IPs).
To make things clear: An [ns_conn clientaddr] would make me happy.
The following setup would make me even more happier, since it would
require less code changes:
if the config file flag "running behind a proxy" is set then {
tcp_peer = address from the next tcp-hop (currently ns_conn peeraddr)
clientaddr = x-forwarded-from given ? value from there : tcp_peer
and
* the first field in access log is clientaddr
* [ns_conn peeraddr] returns clientaddr
* [ns_conn tcp_peeraddr] returns tcp_peer
} else { ;# flag in config file is no set
tcp_peer = address from the next tcp-hop (currently ns_conn peeraddr)
and
* the first field in access log is tcp_peer
* [ns_conn peeraddr] returns tcp_peer
* [ns_conn tcp_peeraddr] returns tcp_peer
}
consequences:
* as long the mentioned flag in the config file is not set, everything is
compatible with the current version; the only disadvantage i see is
an unneccessary subcommand of ns_conn. The logic behind is
simple enough and can easily be implemented in C, there is
no performance penalty.
* when the server is running behind a proxy, the flag should be set, and
and everybody can continue to use [ns_conn peeraddr] for most
purposes. in seldom situations [ns_conn tcp_peeraddr] can be
use to determine the ip address of the proxy (e.g. when multiple
different internal proxies are feeding an aolserver)
> I think this should be implemented, but I'm not sure exactly how useful
> it will be.
my primary point is: if you are running an aolserver behind a proxy,
the current value of [ns_conn peeraddr] is not very useful.
all the best
-gustaf
--
Univ.Prof. Dr.Gustaf Neumann
Abteilung f�r Wirtschaftsinformatik
WU-Wien, Augasse 2-6, 1090 Wien
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
