On 24.07.2012 11:22, Joe Orton wrote:
On Tue, Jul 24, 2012 at 10:46:12AM +0200, Rainer Jung wrote:
IMHO if the admin explicitely configured an IP in the ProxyBlock
list we should nevertheless check. For this case there's already a
somewhat related warning in the docs which we could enhance for this
new case.
It looks like we could check whether we have an explicit IP during
set_proxy_exclude() by comparing new->name and apr_sockaddr_ip_get()
of new->addr and later do the IP lookup for the target host only for
those rules where we had an explicit IP.
Not sure whether apr_sockaddr_ip_get() applied to the result of
apr_sockaddr_info_get() applied to an IP gives back the same IP,
e.g. when there's IPv4 and v6 involved.
Right, with a v6 address there can be multiple representations of the
same address so that wouldn't be reliable.
This seems to pile caveat on top of caveat; is it really necessary?
ProxyBlock is not even documented to take literal IP addresses, but
rather "*|word|host|domain". Adding a special case for a literal IP
will add significant complexity here; is it useful? If there is a
forward proxy configured why can't that proxy block the IP address?
You are right, I got the feature form the code not really from the docs.
We might remov the sentence "rocky.wotsamattau.edu would also be matched
if referenced by IP address." though or explain the limitations. Now
that we have understood it, that's easy. So I'm OK with not supporting
checking the request IP in the case we use another proxy.
(But reading that code again, you also lead me to another bug; the use
of apr_sockaddr_ip_get() against resolved addresses on the ->noproxies
list looks to be leaky/unsafe, it will allocate memory out of pconf each
time we check a resolved address!)
:(
Thanks!
Rainer
