[Web-SIG] REMOTE_ADDR and proxys
Robert Collins
robertc at robertcollins.net
Tue Oct 14 06:06:34 CEST 2014
On 14 October 2014 16:21, Graham Dumpleton <graham.dumpleton at gmail.com> wrote:
>
> This behaviour is by virtue of Apache 2.4 doing the blocking.
Nice :).
> There was however a bug in mod_wsgi which means that spoofed headers still
> got through in environ passed to mod_wsgi specific
> access/authentication/authorization hook extensions for Apache. This has
> been fixed in recent release. At the same time it was decided to apply the
> more strict rules about what was allowed back to older Apache 2.2 as well,
> since Apache 2.2 doesn't do the blocking that Apache 2.4 does.
>
> Unfortunately because Linux distros ship out of date mod_wsgi versions, it
> can still be an issue there. Have been pondering turning the issue into a
> CERT just to force them to back port the fixes. :-)
+1 on that, its indeed an issue and many folk won't consider issue there.
For WSGI I agree that the protocol doesn't need to make these deployer
decisions etc - but we do need to clarify REMOTE_ADDR for unix
sockets.
I've filed https://github.com/python-web-sig/wsgi-ng/issues/11 to track this.
-Rob
--
Robert Collins <rbtcollins at hp.com>
Distinguished Technologist
HP Converged Cloud
More information about the Web-SIG
mailing list