Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...

Jim Washington jwashin@vt.edu
Wed, 10 Apr 2002 15:34:18 -0400 

>
>
>>Correct me if I'm wrong, but this IMO makes spoofing against a naked 
>>ZServer a childs play. It's just adding a custom header to the request.
>>I also doubt that every reverse proxy overwrites this header, so 
>>zservers behind a proxy might also be hit.
>>
>
>Note:  this is using another web server to front for zope.  It turns out
>to be fairly safe -- I have used a variant for quite a while and did
>quite a bit of testing.  For short hand, I am going to call the other web
>server apache.  Apache presumably uses something like getpeername to
>fill in its idea of HTTP_X_FORWARDED_FOR or REMOTE_ADDR.  If the remote
>user attempts to spoof it (by using hidden variables, or other HTTP
>based techniques), the Zope server interprets this is a list, rather
>than the expected string.  This is easy to detect, and in fact, if you
>fail to handle it, you will probably simply error out.
>
>If the attacker is using TCP spoofing, there is really not much you can
>do at an application level.
>
>On the other hand, I am now conviced that this is not an intelligent
>thing to do, not even for presentation.  You already have Apache in
>front, so why not use rewriting rules to make the URL distinguishable.
>In this way, you can use one of the BASE or URL variables to determine
>how the person got in.  This gives you pretty much the same level of
>control (especially if you are worried only about internal/external) as
>using IP addresses, without modifying either Zope or Apache.
>
Jim, Oliver

Thanks. I'm glad we have smart and knowledgeable people available to 
discuss these kinds of things.  My hope was that I could restrict my 
Manager account to a short list of machines, even through a squid or 
apache proxy.  Essentially add a third thing to have besides username 
and password.  Which I still think is better than just username and 
password, since Zope sees only *one* ip address coming from squid in the 
current situation.  I'll have to do some more thinking...

Regards,

-- Jim Washington