On Wed, Mar 29, 2017 at 4:43 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > It would be nice if the mod_remoteip patch to PROXY protocol followed the > security advisories of the PROXY draft security comments, and we rip out the > 'optional' mode. The remaining objection is around the ambiguity of 'optional' > (which can't exist) and the objection that how PROXY works as an implicit > trust model using mod_remoteip is laughable, since the connection cannot > be established without some PROXY protocol line interceptor yanking the > garbage out of otherwise well-formed HTTP/1.1 - HTTP-TLS - h2c - h2 input. > > There is no 'untrusted PROXY header input' because that isn't part of the > HTTP protocol and that garbage generates a 400 without an interceptor. > No problem declaring that if we are willing to decode it, we will accept the > input as gospel.
(By this measure, I'm dropping any objection to also setting HTTPS TLS content trust flags, although mod_ssl would typically provide much more information about which server and client certificates had been presented and what cipher is in use.)