Maybe my followup is better phrased. No issue with handling of internal IPs.
Currently, we act like RemoteIPTrustedProxy * by default (once they've named the XFF header) and warn people they'd better restrict it. On Tue, Sep 22, 2015 at 9:20 PM, William A Rowe Jr <[email protected]> wrote: > I will try, I'm having trouble coming to terms with the idea because there > is no way > one would ever want private IP info from networks outside of their control > to be > used for access control. > > If you require ip 127.0.0.1 for your monitoring app/mod_status for example, > this > suggestion completely destroys your ability to perform that. Private IP > assignments > are just that, and their inclusion in this module were largely for bridged > private > environments where the administrator has control of both. > > On Tue, Sep 22, 2015 at 1:13 PM, Eric Covener <[email protected]> wrote: >> >> I struggled with the phrasing here, any fine-tuning (or more) appreciated. >> >> Does our default make sense considering the warning at the top of the >> doc? Should we make people specify "RemoteIPTrustedProxy *" if they >> don't want to restrict it? >> >> On Tue, Sep 22, 2015 at 2:11 PM, <[email protected]> wrote: >> > Author: covener >> > Date: Tue Sep 22 18:11:35 2015 >> > New Revision: 1704683 >> > >> > URL: http://svn.apache.org/viewvc?rev=1704683&view=rev >> > Log: >> > add warnings and emphasize the defaults for trusted non-internal >> > proxies) >> > >> > >> > Modified: >> > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml >> > >> > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml >> > URL: >> > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683&r1=1704682&r2=1704683&view=diff >> > >> > ============================================================================== >> > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original) >> > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 >> > 18:11:35 2015 >> > @@ -113,9 +113,12 @@ via the request headers. >> > <var>header-field</var> header as the useragent IP address, or list >> > of intermediate useragent IP addresses, subject to further >> > configuration >> > of the <directive >> > module="mod_remoteip">RemoteIPInternalProxy</directive> and >> > - <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> >> > directives. Unless these >> > - other directives are used, <module>mod_remoteip</module> will trust >> > all >> > - hosts presenting a <directive >> > module="mod_remoteip">RemoteIPHeader</directive> IP value.</p> >> > + <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> >> > directives.</p> >> > + >> > + <note type="warning"> Unless these other directives are used, >> > <module>mod_remoteip</module> >> > + will trust all hosts presenting a non internal address in the >> > + <directive module="mod_remoteip">RemoteIPHeader</directive> header >> > value. >> > + </note> >> > >> > <example><title>Internal (Load Balancer) Example</title> >> > <highlight language="config"> >> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By >> > >> > <directivesynopsis> >> > <name>RemoteIPTrustedProxy</name> >> > -<description>Declare client intranet IP addresses trusted to present >> > the RemoteIPHeader value</description> >> > +<description>Restrict client IP addresses trusted to present the >> > RemoteIPHeader value</description> >> > <syntax>RemoteIPTrustedProxy >> > <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> >> > ...</syntax> >> > <contextlist><context>server config</context><context>virtual >> > host</context></contextlist> >> > >> > <usage> >> > - <p>The <directive >> > module="mod_remoteip">RemoteIPTrustedProxy</directive> directive adds one >> > - or more addresses (or address blocks) to trust as presenting a >> > valid >> > - RemoteIPHeader value of the useragent IP. Unlike the >> > - <directive module="mod_remoteip">RemoteIPInternalProxy</directive> >> > directive, any intranet >> > + <p>The <directive >> > module="mod_remoteip">RemoteIPTrustedProxy</directive> >> > + directive restricts which peer IP addresses (or address blocks) >> > will be >> > + trusted to present a valid RemoteIPHeader value of the useragent >> > IP.</p> >> > + >> > + <p> Unlike the <directive >> > module="mod_remoteip">RemoteIPInternalProxy</directive> directive, any >> > intranet >> > or private IP address reported by such proxies, including the 10/8, >> > 172.16/12, >> > 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 >> > public >> > 2000::/3 block) are not trusted as the useragent IP, and are left >> > in the >> > <directive module="mod_remoteip">RemoteIPHeader</directive> >> > header's value.</p> >> > >> > + <note type="warning">By default, <module>mod_remoteip</module> will >> > trust >> > + all hosts presenting a non internal address in the >> > + <directive module="mod_remoteip">RemoteIPHeader</directive> header >> > value. >> > + </note> >> > + >> > <example><title>Trusted (Load Balancer) Example</title> >> > <highlight language="config"> >> > RemoteIPHeader X-Forwarded-For >> > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com >> > >> > <directivesynopsis> >> > <name>RemoteIPTrustedProxyList</name> >> > -<description>Declare client intranet IP addresses trusted to present >> > the RemoteIPHeader value</description> >> > +<description>Restrict client IP addresses trusted to present the >> > RemoteIPHeader value</description> >> > <syntax>RemoteIPTrustedProxyList <var>filename</var></syntax> >> > <contextlist><context>server config</context><context>virtual >> > host</context></contextlist> >> > >> > >> > >> >> >> >> -- >> Eric Covener >> [email protected] > > -- Eric Covener [email protected]
