Am 07.02.2017 um 23:50 schrieb Yann Ylavic:
On Tue, Feb 7, 2017 at 11:34 PM, Reindl Harald <h.rei...@thelounge.net> wrote:
Am 07.02.2017 um 22:53 schrieb Yann Ylavic:
I mean the application can know about "X-Forwarded-Proto or whatever"
header, it could act with it like it does with HTTPS=on (if it
wishes)
for that you would need to touch each and every application and you have not
secure way to know for sure if that header is trustable, when mod_remoteip
is part of the game you even don't know (and should not know) the physical
connecting IP
I agree with that, "X-Forwarded-Proto or whatever" was meant to say "a
trustable information", and I even agree that's mod_remoteip's job to
give that information.
I just don't think we should make as if httpd were running https (i.e.
for all modules/applications to think it is), but rather give the real
information: trustable remote is running https
with a wayback machine this would be pretty cool, but whatever you do at
this point in time needs to
a) get implemented in the tls offlaoding software
b) get implemented in the backend-server (httpd)
c) get implemented in each and every web application
while a) and b) are realistic in a mid-term timeframe c) is not and
additionally c) needs to to it secure
to do it secure is even a real problem
how can you trust as a php application developer that
"X-Forwarded-Proto" is trustable and not from the enduser client at all
- for REMOTE_ADDR you don't consider "X-Forwarded-For" exactly for that
reason
when mod_remoteip is in place "X-Forwarded-For" contains only untrusted
informations and the ip of your own proxy is ripped out of that header
without mod_remoteip you get unfiltered whatever came over the wire and
you have no idea within the php application if you are behind a proxy at
all
at least not trusted one and even if httpd promises in a later version
that you don't get that header from untrusted sources you have no idea
if the httpd on your hoster has that promise (LTS distributions with no
real versions) and there are other webservers too
hence application developers are advised making no decisions based on
that header - i would find it questionable having a "X-Forwarded-Proto"
where you have to deal with in the application and "X-Forwarded-For"
where you *must not* process it for security reasons
