Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jrwrote: > On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener wrote: >> >> Maybe my followup is better phrased. No issue with handling of internal >> IPs. >> >> Currently, we act like RemoteIPTrustedProxy * by default (once they've >> named the XFF header) and warn people they'd better restrict it. > > > I agree that was not the original design and we should address it with a fix > rather than a docs fix, IMHO. 'Trusted' is the exception, not the general > case. bump. I don't love the idea of changing the 2.4 defaults. Current doc already says "Unless these other directives are used, mod_remoteip will trust all hosts presenting a RemoteIPHeader IP value." so I thought it was wise to reinforce this in other sections. Doc is not back-ported yet.
Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
> On Oct 6, 2015, at 10:47 AM, Eric Covenerwrote: > > On Tue, Sep 22, 2015 at 11:09 PM, William A Rowe Jr > wrote: >> On Tue, Sep 22, 2015 at 8:48 PM, Eric Covener wrote: >>> >>> Maybe my followup is better phrased. No issue with handling of internal >>> IPs. >>> >>> Currently, we act like RemoteIPTrustedProxy * by default (once they've >>> named the XFF header) and warn people they'd better restrict it. >> >> >> I agree that was not the original design and we should address it with a fix >> rather than a docs fix, IMHO. 'Trusted' is the exception, not the general >> case. > > bump. I don't love the idea of changing the 2.4 defaults. +1 > > Current doc already says "Unless these other directives are used, > mod_remoteip will trust all hosts presenting a RemoteIPHeader IP > value." so I thought it was wise to reinforce this in other sections. > Doc is not back-ported yet.
Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
I struggled with the phrasing here, any fine-tuning (or more) appreciated. Does our default make sense considering the warning at the top of the doc? Should we make people specify "RemoteIPTrustedProxy *" if they don't want to restrict it? On Tue, Sep 22, 2015 at 2:11 PM,wrote: > Author: covener > Date: Tue Sep 22 18:11:35 2015 > New Revision: 1704683 > > URL: http://svn.apache.org/viewvc?rev=1704683=rev > Log: > add warnings and emphasize the defaults for trusted non-internal proxies) > > > Modified: > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff > == > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 18:11:35 > 2015 > @@ -113,9 +113,12 @@ via the request headers. > header-field header as the useragent IP address, or list > of intermediate useragent IP addresses, subject to further configuration > of the module="mod_remoteip">RemoteIPInternalProxy and > -RemoteIPTrustedProxy > directives. Unless these > -other directives are used, mod_remoteip will trust all > -hosts presenting a module="mod_remoteip">RemoteIPHeader IP value. > +RemoteIPTrustedProxy > directives. > + > + Unless these other directives are used, > mod_remoteip > +will trust all hosts presenting a non internal address in the > +RemoteIPHeader header value. > + > > Internal (Load Balancer) Example > > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By > > > RemoteIPTrustedProxy > -Declare client intranet IP addresses trusted to present the > RemoteIPHeader value > +Restrict client IP addresses trusted to present the > RemoteIPHeader value > RemoteIPTrustedProxy > proxy-ip|proxy-ip/subnet|hostname > ... > server configvirtual > host > > > -The RemoteIPTrustedProxy > directive adds one > -or more addresses (or address blocks) to trust as presenting a valid > -RemoteIPHeader value of the useragent IP. Unlike the > -RemoteIPInternalProxy > directive, any intranet > +The RemoteIPTrustedProxy > +directive restricts which peer IP addresses (or address blocks) will be > +trusted to present a valid RemoteIPHeader value of the useragent IP. > + > + Unlike the module="mod_remoteip">RemoteIPInternalProxy directive, any > intranet > or private IP address reported by such proxies, including the 10/8, > 172.16/12, > 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public > 2000::/3 block) are not trusted as the useragent IP, and are left in the > RemoteIPHeader header's > value. > > +By default, mod_remoteip will trust > +all hosts presenting a non internal address in the > +RemoteIPHeader header value. > + > + > Trusted (Load Balancer) Example > > RemoteIPHeader X-Forwarded-For > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com > > > RemoteIPTrustedProxyList > -Declare client intranet IP addresses trusted to present the > RemoteIPHeader value > +Restrict client IP addresses trusted to present the > RemoteIPHeader value > RemoteIPTrustedProxyList filename > server configvirtual > host > > > -- Eric Covener cove...@gmail.com
Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
I will try, I'm having trouble coming to terms with the idea because there is no way one would ever want private IP info from networks outside of their control to be used for access control. If you require ip 127.0.0.1 for your monitoring app/mod_status for example, this suggestion completely destroys your ability to perform that. Private IP assignments are just that, and their inclusion in this module were largely for bridged private environments where the administrator has control of both. On Tue, Sep 22, 2015 at 1:13 PM, Eric Covenerwrote: > I struggled with the phrasing here, any fine-tuning (or more) appreciated. > > Does our default make sense considering the warning at the top of the > doc? Should we make people specify "RemoteIPTrustedProxy *" if they > don't want to restrict it? > > On Tue, Sep 22, 2015 at 2:11 PM, wrote: > > Author: covener > > Date: Tue Sep 22 18:11:35 2015 > > New Revision: 1704683 > > > > URL: http://svn.apache.org/viewvc?rev=1704683=rev > > Log: > > add warnings and emphasize the defaults for trusted non-internal proxies) > > > > > > Modified: > > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > > > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml > > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff > > > == > > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original) > > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 > 18:11:35 2015 > > @@ -113,9 +113,12 @@ via the request headers. > > header-field header as the useragent IP address, or list > > of intermediate useragent IP addresses, subject to further > configuration > > of the module="mod_remoteip">RemoteIPInternalProxy and > > -RemoteIPTrustedProxy > directives. Unless these > > -other directives are used, mod_remoteip will trust > all > > -hosts presenting a module="mod_remoteip">RemoteIPHeader IP value. > > +RemoteIPTrustedProxy > directives. > > + > > + Unless these other directives are used, > mod_remoteip > > +will trust all hosts presenting a non internal address in the > > +RemoteIPHeader header > value. > > + > > > > Internal (Load Balancer) Example > > > > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By > > > > > > RemoteIPTrustedProxy > > -Declare client intranet IP addresses trusted to present > the RemoteIPHeader value > > +Restrict client IP addresses trusted to present the > RemoteIPHeader value > > RemoteIPTrustedProxy > proxy-ip|proxy-ip/subnet|hostname > ... > > server configvirtual > host > > > > > > -The module="mod_remoteip">RemoteIPTrustedProxy directive adds one > > -or more addresses (or address blocks) to trust as presenting a valid > > -RemoteIPHeader value of the useragent IP. Unlike the > > -RemoteIPInternalProxy > directive, any intranet > > +The module="mod_remoteip">RemoteIPTrustedProxy > > +directive restricts which peer IP addresses (or address blocks) > will be > > +trusted to present a valid RemoteIPHeader value of the useragent > IP. > > + > > + Unlike the module="mod_remoteip">RemoteIPInternalProxy directive, any > intranet > > or private IP address reported by such proxies, including the 10/8, > 172.16/12, > > 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 > public > > 2000::/3 block) are not trusted as the useragent IP, and are left > in the > > RemoteIPHeader > header's value. > > > > +By default, mod_remoteip will > trust > > +all hosts presenting a non internal address in the > > +RemoteIPHeader header > value. > > + > > + > > Trusted (Load Balancer) Example > > > > RemoteIPHeader X-Forwarded-For > > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com > > > > > > RemoteIPTrustedProxyList > > -Declare client intranet IP addresses trusted to present > the RemoteIPHeader value > > +Restrict client IP addresses trusted to present the > RemoteIPHeader value > > RemoteIPTrustedProxyList filename > > server configvirtual > host > > > > > > > > > > -- > Eric Covener > cove...@gmail.com >
Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
Maybe my followup is better phrased. No issue with handling of internal IPs. Currently, we act like RemoteIPTrustedProxy * by default (once they've named the XFF header) and warn people they'd better restrict it. On Tue, Sep 22, 2015 at 9:20 PM, William A Rowe Jrwrote: > I will try, I'm having trouble coming to terms with the idea because there > is no way > one would ever want private IP info from networks outside of their control > to be > used for access control. > > If you require ip 127.0.0.1 for your monitoring app/mod_status for example, > this > suggestion completely destroys your ability to perform that. Private IP > assignments > are just that, and their inclusion in this module were largely for bridged > private > environments where the administrator has control of both. > > On Tue, Sep 22, 2015 at 1:13 PM, Eric Covener wrote: >> >> I struggled with the phrasing here, any fine-tuning (or more) appreciated. >> >> Does our default make sense considering the warning at the top of the >> doc? Should we make people specify "RemoteIPTrustedProxy *" if they >> don't want to restrict it? >> >> On Tue, Sep 22, 2015 at 2:11 PM, wrote: >> > Author: covener >> > Date: Tue Sep 22 18:11:35 2015 >> > New Revision: 1704683 >> > >> > URL: http://svn.apache.org/viewvc?rev=1704683=rev >> > Log: >> > add warnings and emphasize the defaults for trusted non-internal >> > proxies) >> > >> > >> > Modified: >> > httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml >> > >> > Modified: httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml >> > URL: >> > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml?rev=1704683=1704682=1704683=diff >> > >> > == >> > --- httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml (original) >> > +++ httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml Tue Sep 22 >> > 18:11:35 2015 >> > @@ -113,9 +113,12 @@ via the request headers. >> > header-field header as the useragent IP address, or list >> > of intermediate useragent IP addresses, subject to further >> > configuration >> > of the > > module="mod_remoteip">RemoteIPInternalProxy and >> > -RemoteIPTrustedProxy >> > directives. Unless these >> > -other directives are used, mod_remoteip will trust >> > all >> > -hosts presenting a > > module="mod_remoteip">RemoteIPHeader IP value. >> > +RemoteIPTrustedProxy >> > directives. >> > + >> > + Unless these other directives are used, >> > mod_remoteip >> > +will trust all hosts presenting a non internal address in the >> > +RemoteIPHeader header >> > value. >> > + >> > >> > Internal (Load Balancer) Example >> > >> > @@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By >> > >> > >> > RemoteIPTrustedProxy >> > -Declare client intranet IP addresses trusted to present >> > the RemoteIPHeader value >> > +Restrict client IP addresses trusted to present the >> > RemoteIPHeader value >> > RemoteIPTrustedProxy >> > proxy-ip|proxy-ip/subnet|hostname >> > ... >> > server configvirtual >> > host >> > >> > >> > -The > > module="mod_remoteip">RemoteIPTrustedProxy directive adds one >> > -or more addresses (or address blocks) to trust as presenting a >> > valid >> > -RemoteIPHeader value of the useragent IP. Unlike the >> > -RemoteIPInternalProxy >> > directive, any intranet >> > +The > > module="mod_remoteip">RemoteIPTrustedProxy >> > +directive restricts which peer IP addresses (or address blocks) >> > will be >> > +trusted to present a valid RemoteIPHeader value of the useragent >> > IP. >> > + >> > + Unlike the > > module="mod_remoteip">RemoteIPInternalProxy directive, any >> > intranet >> > or private IP address reported by such proxies, including the 10/8, >> > 172.16/12, >> > 192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 >> > public >> > 2000::/3 block) are not trusted as the useragent IP, and are left >> > in the >> > RemoteIPHeader >> > header's value. >> > >> > +By default, mod_remoteip will >> > trust >> > +all hosts presenting a non internal address in the >> > +RemoteIPHeader header >> > value. >> > + >> > + >> > Trusted (Load Balancer) Example >> > >> > RemoteIPHeader X-Forwarded-For >> > @@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com >> > >> > >> > RemoteIPTrustedProxyList >> > -Declare client intranet IP addresses trusted to present >> > the RemoteIPHeader value >> > +Restrict client IP addresses trusted to present the >> > RemoteIPHeader value >> > RemoteIPTrustedProxyList filename >> > server configvirtual >> > host >> > >> > >> > >> >> >> >> -- >> Eric Covener >> cove...@gmail.com > > -- Eric Covener cove...@gmail.com
Re: svn commit: r1704683 - /httpd/httpd/trunk/docs/manual/mod/mod_remoteip.xml
On Tue, Sep 22, 2015 at 8:48 PM, Eric Covenerwrote: > Maybe my followup is better phrased. No issue with handling of internal > IPs. > > Currently, we act like RemoteIPTrustedProxy * by default (once they've > named the XFF header) and warn people they'd better restrict it. > I agree that was not the original design and we should address it with a fix rather than a docs fix, IMHO. 'Trusted' is the exception, not the general case.