Am 07.02.2017 um 22:53 schrieb Yann Ylavic:
On Tue, Feb 7, 2017 at 10:14 PM, Jordan Gigov <colad...@gmail.com> wrote:
On 7 February 2017 at 22:33, Yann Ylavic <ylavic....@gmail.com> wrote:
I'm a bit reluctant with these patches, and probably need to be
convinced this isn't an application issue in the first place (why not
use X-Forwarded-Proto or alike to achieve the same? i.e. generate
https links...), or an SSL endpoint issue (why not rewrite URLs or
alike there?).
It can be X-Forwarded-Proto or whatever you set it to with my patch
(for the standard method of proxying).
I can't speak to the ProxyProtocol one.
I also don't see what you mean by an "application issue".
I mean the application can know about "X-Forwarded-Proto or whatever"
header, it could act with it like it does with HTTPS=on (if it
wishes)
for that you would need to touch each and every application and you have
not secure way to know for sure if that header is trustable, when
mod_remoteip is part of the game you even don't know (and should not
know) the physical connecting IP
and so when you write a application to directly proceed that header you
make your application vulnerable in every environment where the outside
client fakes that header
dealing with it the same way as for REMOTE_ADDR would make it 100%
transparent for the application and it would only trigger if the admin
configured the underlying server as he does with mod_remoteip's
"RemoteIPInternalProxy"
it's not a application issue - the application must not know anything
about infrastructure decisions - it's the job of the underlying
infrastructure
