Re: Simple mod_perl Question

[prev] [thread] [next] [Date index for 2005/01/07]

> * Jeff Bisbee (mod_perl-users@xxxxxxx.xxx) wrote:
> >     # set actual ip of host doing the requesting instead of the
> proxy
> >     my ($actual_remote_ip) = split /,/,
> $r->header_in('X-Forwarded-For');
> >     $r->connection->remote_ip($actual_remote_ip) if
> $actual_remote_ip;
> > 
> > I just wanted to make sure there would be any conditions that the
> above 
> > code wouldn't handle.
> 
> I guess I just want some quick feedback to make sure I'm going
> about
> replacing the IP the right way and there isn't a better way to do
> it.

See http://perl.apache.org/docs/1.0/guide/scenario.html#Usage for a
better example. The problem with this snippet is that now anyone can
send their own X-Forwarded-For header and forge the source IP
address.

Better check that the request is actually coming from your reverse
proxy. I'll paste it here from the link (but yahoo mail will probably
mangle it somehow):

  use Apache::Constants ();
  sub My::ProxyRemoteAddr ($) {
    my $r = shift;
   
    # we'll only look at the X-Forwarded-For header if the requests
    # comes from our proxy at localhost
    return Apache::Constants::OK 
        unless ($r->connection->remote_ip eq "127.0.0.1") 
            and $r->header_in('X-Forwarded-For');
  
    # Select last value in the chain -- original client's ip
    if (my ($ip) = $r->headers_in->{'X-Forwarded-For'} =~
/([^,\s]+)$/) {
      $r->connection->remote_ip($ip);
    }
        
    return Apache::Constants::OK;
  }





		
__________________________________ 
Do you Yahoo!? 
Read only the mail you want - Yahoo! Mail SpamGuard. 
http://promotions.yahoo.com/new_mail