git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62377] Implement Forwarded header (RFC 7239) in mod_remoteip


https://bz.apache.org/bugzilla/show_bug.cgi?id=62377

--- Comment #1 from William A. Rowe Jr. <wrowe@xxxxxxxxxx> ---
Patches are welcome.

The largest headache is unwinding Forwarded and X-F-F where they coexist
during any transition between the old and new behavior. This is my analysis
documented in the thread to help anyone get started;
https://lists.apache.org/thread.html/9887a4bb16dc09221996ff36e1dc65aa17353f634533c216626c4f7b%40%3Cdev.httpd.apache.org%3E



So I was unspooling how we would handle stacked variables.

Any PROXY protocol is the nearest hop; if multiple PROXY protocol header
lines occurred, the closest would be transmitted first, etc.

All local x-remoteip style values would be the next most distant hop; very
similar to the haproxy protocol, it indicates some absolutely trusted edge
router/balancer.

Any x-f-f that occurs would reflect all the next most distant hops. Finally,
any 'Forwarded' header (rfc7239) are the most distant hops. I'm basing
that conclusion on the fact that all 'Forwarded'-aware intermediaries which
construct a 'Forwarded' header would not carry the x-f-f, but concatenate
these as closer than the nearest 'Forwarded'-aware hop. So the presence
of an x-f-f header indicates the presence of a 'Forwarded'-unaware agent
between this incoming connection and the closest 'Forwarded'-aware agent.

I'm not suggesting these two enhancements, PROXY and RFC7239 are
intertwined, we can certainly ship them in different releases, but I was
having problems working out X-F-F vs Forwarded until I was working
through the PROXY logic and came to the conclusion above, and am
looking for others to sanity-check my logic on this.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx