subject:"svn commit\: r1704683 \- \/httpd\/httpd\/trunk\/docs\/manual\/mod\/mod

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-10-06 Thread Eric Covener

On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jr  wrote:
> On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener  wrote:
>>
>> Maybe my followup is better phrased.  No issue with handling of internal
>> IPs.
>>
>> Currently, we act like RemoteIPTrustedProxy * by default (once they've
>> named the XFF header) and warn people they'd better restrict it.
>
>
> I agree that was not the original design and we should address it with a fix
> rather than a docs fix, IMHO.  'Trusted' is the exception, not the general
> case.

bump. I don't love the idea of changing the 2.4 defaults.

Current doc already says "Unless these other directives are used,
mod_remoteip will trust all hosts presenting a RemoteIPHeader IP
value." so I thought it was wise  to reinforce this in other sections.
  Doc is not back-ported yet.

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-10-06 Thread Jim Jagielski


> On Oct 6, 2015, at 10:47 AM, Eric Covener  wrote:
> 
> On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jr  
> wrote:
>> On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener  wrote:
>>> 
>>> Maybe my followup is better phrased.  No issue with handling of internal
>>> IPs.
>>> 
>>> Currently, we act like RemoteIPTrustedProxy * by default (once they've
>>> named the XFF header) and warn people they'd better restrict it.
>> 
>> 
>> I agree that was not the original design and we should address it with a fix
>> rather than a docs fix, IMHO.  'Trusted' is the exception, not the general
>> case.
> 
> bump. I don't love the idea of changing the 2.4 defaults.

+1

> 
> Current doc already says "Unless these other directives are used,
> mod_remoteip will trust all hosts presenting a RemoteIPHeader IP
> value." so I thought it was wise  to reinforce this in other sections.
>  Doc is not back-ported yet.

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-09-22 Thread Eric Covener

I struggled with the phrasing here, any fine-tuning (or more) appreciated.

Does our default make sense considering the warning at the top of the
doc? Should we make people specify "RemoteIPTrustedProxy *" if they
don't want to restrict it?

On Tue, Sep 22, 2015 at 2:11 PM,   wrote:
> Author: covener
> Date: Tue Sep 22 18:11:35 2015
> New Revision: 1704683
>
> URL: http://svn.apache.org/viewvc?rev=1704683=rev
> Log:
> add warnings and emphasize the defaults for trusted non-internal proxies)
>
>
> Modified:
> httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff
> ==
> --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 18:11:35 
> 2015
> @@ -113,9 +113,12 @@ via the request headers.
>  header-field header as the useragent IP address, or list
>  of intermediate useragent IP addresses, subject to further configuration
>  of the  module="mod_remoteip">RemoteIPInternalProxy and
> -RemoteIPTrustedProxy 
> directives.  Unless these
> -other directives are used, mod_remoteip will trust all
> -hosts presenting a  module="mod_remoteip">RemoteIPHeader IP value.
> +RemoteIPTrustedProxy 
> directives.
> +
> + Unless these other directives are used, 
> mod_remoteip
> +will trust all hosts presenting a non internal address in the
> +RemoteIPHeader header value.
> +
>
>  Internal (Load Balancer) Example
>  
> @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By
>
>  
>  RemoteIPTrustedProxy
> -Declare client intranet IP addresses trusted to present the 
> RemoteIPHeader value
> +Restrict client IP addresses trusted to present the 
> RemoteIPHeader value
>  RemoteIPTrustedProxy 
> proxy-ip|proxy-ip/subnet|hostname 
> ...
>  server configvirtual 
> host
>
>  
> -The RemoteIPTrustedProxy 
> directive adds one
> -or more addresses (or address blocks) to trust as presenting a valid
> -RemoteIPHeader value of the useragent IP.  Unlike the
> -RemoteIPInternalProxy 
> directive, any intranet
> +The RemoteIPTrustedProxy
> +directive restricts which peer IP addresses (or address blocks) will be
> +trusted to present  a valid RemoteIPHeader value of the useragent IP.
> +
> + Unlike the  module="mod_remoteip">RemoteIPInternalProxy directive, any 
> intranet
>  or private IP address reported by such proxies, including the 10/8, 
> 172.16/12,
>  192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
>  2000::/3 block) are not trusted as the useragent IP, and are left in the
>  RemoteIPHeader header's 
> value.
>
> +By default, mod_remoteip will trust
> +all hosts presenting a non internal address in the
> +RemoteIPHeader header value.
> +
> +
>  Trusted (Load Balancer) Example
>  
>  RemoteIPHeader X-Forwarded-For
> @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com
>
>  
>  RemoteIPTrustedProxyList
> -Declare client intranet IP addresses trusted to present the 
> RemoteIPHeader value
> +Restrict client IP addresses trusted to present the 
> RemoteIPHeader value
>  RemoteIPTrustedProxyList filename
>  server configvirtual 
> host
>
>
>



-- 
Eric Covener
cove...@gmail.com

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-09-22 Thread William A Rowe Jr

I will try, I'm having trouble coming to terms with the idea because there
is no way
one would ever want private IP info from networks outside of their control
to be
used for access control.

If you require ip 127.0.0.1 for your monitoring app/mod_status for example,
this
suggestion completely destroys your ability to perform that.  Private IP
assignments
are just that, and their inclusion in this module were largely for bridged
private
environments where the administrator has control of both.

On Tue, Sep 22, 2015 at 1:13 PM, Eric Covener  wrote:

> I struggled with the phrasing here, any fine-tuning (or more) appreciated.
>
> Does our default make sense considering the warning at the top of the
> doc? Should we make people specify "RemoteIPTrustedProxy *" if they
> don't want to restrict it?
>
> On Tue, Sep 22, 2015 at 2:11 PM,   wrote:
> > Author: covener
> > Date: Tue Sep 22 18:11:35 2015
> > New Revision: 1704683
> >
> > URL: http://svn.apache.org/viewvc?rev=1704683=rev
> > Log:
> > add warnings and emphasize the defaults for trusted non-internal proxies)
> >
> >
> > Modified:
> > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> >
> > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> > URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff
> >
> ==
> > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original)
> > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22
> 18:11:35 2015
> > @@ -113,9 +113,12 @@ via the request headers.
> >  header-field header as the useragent IP address, or list
> >  of intermediate useragent IP addresses, subject to further
> configuration
> >  of the  module="mod_remoteip">RemoteIPInternalProxy and
> > -RemoteIPTrustedProxy
> directives.  Unless these
> > -other directives are used, mod_remoteip will trust
> all
> > -hosts presenting a  module="mod_remoteip">RemoteIPHeader IP value.
> > +RemoteIPTrustedProxy
> directives.
> > +
> > + Unless these other directives are used,
> mod_remoteip
> > +will trust all hosts presenting a non internal address in the
> > +RemoteIPHeader header
> value.
> > +
> >
> >  Internal (Load Balancer) Example
> >  
> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By
> >
> >  
> >  RemoteIPTrustedProxy
> > -Declare client intranet IP addresses trusted to present
> the RemoteIPHeader value
> > +Restrict client IP addresses trusted to present the
> RemoteIPHeader value
> >  RemoteIPTrustedProxy
> proxy-ip|proxy-ip/subnet|hostname
> ...
> >  server configvirtual
> host
> >
> >  
> > -The  module="mod_remoteip">RemoteIPTrustedProxy directive adds one
> > -or more addresses (or address blocks) to trust as presenting a valid
> > -RemoteIPHeader value of the useragent IP.  Unlike the
> > -RemoteIPInternalProxy
> directive, any intranet
> > +The  module="mod_remoteip">RemoteIPTrustedProxy
> > +directive restricts which peer IP addresses (or address blocks)
> will be
> > +trusted to present  a valid RemoteIPHeader value of the useragent
> IP.
> > +
> > + Unlike the  module="mod_remoteip">RemoteIPInternalProxy directive, any
> intranet
> >  or private IP address reported by such proxies, including the 10/8,
> 172.16/12,
> >  192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6
> public
> >  2000::/3 block) are not trusted as the useragent IP, and are left
> in the
> >  RemoteIPHeader
> header's value.
> >
> > +By default, mod_remoteip will
> trust
> > +all hosts presenting a non internal address in the
> > +RemoteIPHeader header
> value.
> > +
> > +
> >  Trusted (Load Balancer) Example
> >  
> >  RemoteIPHeader X-Forwarded-For
> > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com
> >
> >  
> >  RemoteIPTrustedProxyList
> > -Declare client intranet IP addresses trusted to present
> the RemoteIPHeader value
> > +Restrict client IP addresses trusted to present the
> RemoteIPHeader value
> >  RemoteIPTrustedProxyList filename
> >  server configvirtual
> host
> >
> >
> >
>
>
>
> --
> Eric Covener
> cove...@gmail.com
>

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-09-22 Thread Eric Covener

Maybe my followup is better phrased.  No issue with handling of internal IPs.

Currently, we act like RemoteIPTrustedProxy * by default (once they've
named the XFF header) and warn people they'd better restrict it.

On Tue, Sep 22, 2015 at 9:20 PM, William A Rowe Jr  wrote:
> I will try, I'm having trouble coming to terms with the idea because there
> is no way
> one would ever want private IP info from networks outside of their control
> to be
> used for access control.
>
> If you require ip 127.0.0.1 for your monitoring app/mod_status for example,
> this
> suggestion completely destroys your ability to perform that.  Private IP
> assignments
> are just that, and their inclusion in this module were largely for bridged
> private
> environments where the administrator has control of both.
>
> On Tue, Sep 22, 2015 at 1:13 PM, Eric Covener  wrote:
>>
>> I struggled with the phrasing here, any fine-tuning (or more) appreciated.
>>
>> Does our default make sense considering the warning at the top of the
>> doc? Should we make people specify "RemoteIPTrustedProxy *" if they
>> don't want to restrict it?
>>
>> On Tue, Sep 22, 2015 at 2:11 PM,   wrote:
>> > Author: covener
>> > Date: Tue Sep 22 18:11:35 2015
>> > New Revision: 1704683
>> >
>> > URL: http://svn.apache.org/viewvc?rev=1704683=rev
>> > Log:
>> > add warnings and emphasize the defaults for trusted non-internal
>> > proxies)
>> >
>> >
>> > Modified:
>> > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>> >
>> > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
>> > URL:
>> > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff
>> >
>> > ==
>> > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original)
>> > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22
>> > 18:11:35 2015
>> > @@ -113,9 +113,12 @@ via the request headers.
>> >  header-field header as the useragent IP address, or list
>> >  of intermediate useragent IP addresses, subject to further
>> > configuration
>> >  of the > > module="mod_remoteip">RemoteIPInternalProxy and
>> > -RemoteIPTrustedProxy
>> > directives.  Unless these
>> > -other directives are used, mod_remoteip will trust
>> > all
>> > -hosts presenting a > > module="mod_remoteip">RemoteIPHeader IP value.
>> > +RemoteIPTrustedProxy
>> > directives.
>> > +
>> > + Unless these other directives are used,
>> > mod_remoteip
>> > +will trust all hosts presenting a non internal address in the
>> > +RemoteIPHeader header
>> > value.
>> > +
>> >
>> >  Internal (Load Balancer) Example
>> >  
>> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By
>> >
>> >  
>> >  RemoteIPTrustedProxy
>> > -Declare client intranet IP addresses trusted to present
>> > the RemoteIPHeader value
>> > +Restrict client IP addresses trusted to present the
>> > RemoteIPHeader value
>> >  RemoteIPTrustedProxy
>> > proxy-ip|proxy-ip/subnet|hostname
>> > ...
>> >  server configvirtual
>> > host
>> >
>> >  
>> > -The > > module="mod_remoteip">RemoteIPTrustedProxy directive adds one
>> > -or more addresses (or address blocks) to trust as presenting a
>> > valid
>> > -RemoteIPHeader value of the useragent IP.  Unlike the
>> > -RemoteIPInternalProxy
>> > directive, any intranet
>> > +The > > module="mod_remoteip">RemoteIPTrustedProxy
>> > +directive restricts which peer IP addresses (or address blocks)
>> > will be
>> > +trusted to present  a valid RemoteIPHeader value of the useragent
>> > IP.
>> > +
>> > + Unlike the > > module="mod_remoteip">RemoteIPInternalProxy directive, any
>> > intranet
>> >  or private IP address reported by such proxies, including the 10/8,
>> > 172.16/12,
>> >  192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6
>> > public
>> >  2000::/3 block) are not trusted as the useragent IP, and are left
>> > in the
>> >  RemoteIPHeader
>> > header's value.
>> >
>> > +By default, mod_remoteip will
>> > trust
>> > +all hosts presenting a non internal address in the
>> > +RemoteIPHeader header
>> > value.
>> > +
>> > +
>> >  Trusted (Load Balancer) Example
>> >  
>> >  RemoteIPHeader X-Forwarded-For
>> > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com
>> >
>> >  
>> >  RemoteIPTrustedProxyList
>> > -Declare client intranet IP addresses trusted to present
>> > the RemoteIPHeader value
>> > +Restrict client IP addresses trusted to present the
>> > RemoteIPHeader value
>> >  RemoteIPTrustedProxyList filename
>> >  server configvirtual
>> > host
>> >
>> >
>> >
>>
>>
>>
>> --
>> Eric Covener
>> cove...@gmail.com
>
>



-- 
Eric Covener
cove...@gmail.com

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

2015-09-22 Thread William A Rowe Jr

On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener  wrote:

> Maybe my followup is better phrased.  No issue with handling of internal
> IPs.
>
> Currently, we act like RemoteIPTrustedProxy * by default (once they've
> named the XFF header) and warn people they'd better restrict it.
>

I agree that was not the original design and we should address it with a fix
rather than a docs fix, IMHO.  'Trusted' is the exception, not the general
case.

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml

6 matches

Site Navigation

Mail list logo

Footer information