> On 24 Jul 2017, at 13:57, Melanie Thielker <[email protected]> wrote:
>
> Hi,
>
> there is no point in trying to do that because the grid services are
> so varied in scope and can be behind reverse proxies, etc.
Reverse proxies shouldn't be a problem; if a grid is behind one it should still
receive the request for IP/region confirmation as normal (just as you can login
etc. as normal). If the web-service is behind one then usually they will still
be passed Forward-For and related headers from which it can get the source IP
(apache and nginx can do this automatically so you don't have to do it in your
app-code).
If a simulator is proxied in such a way that the source IP that the web-service
sees doesn't match what the grid is willing to verify, then that's precisely
the kind of suspicious case I'd like to be able to detect. For my own
web-services this alone won't be enough to block access, but will cause the
requests to be handled as "untrusted", either requiring some authentication, or
limiting what can be done.
> IP has not been a security factor for a long time, since today many
> different services, not all from the same provider, share an IP.
My intent isn't to use it as absolute security; just to get some assurance that
a request is actually coming from where it says it does.
> Your best approach is therefore to create HTTPS connections and do
> authentication within this secure wrapper using anything from a
> simple password to a full PKI setup, depending on the security level
> required.
For anything sensitive I absolutely still intend to use session keys to keep
track of authenticated devices, but I'd still like to be able to validate that
information being sent in the request is true. It's not an either/or, the
capability for both can absolutely exist.
The question IMO isn't whether a callback would work, as it absolutely should,
the question is how best to implement it.
_______________________________________________
Opensim-dev mailing list
[email protected]
http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
