[interchange-cvs] interchange - jon modified 2 files
interchange-core@icdevgroup.org
interchange-core@icdevgroup.org
Thu Dec 12 23:46:01 2002
User: jon
Date: 2002-12-13 04:45:17 GMT
Modified: lib/Vend Config.pm Server.pm
Log:
Add new global directive TrustProxy, which allows the administrator to
designate certain IP addresses or hostnames as trusted proxies, whose
claims (via the HTTP_X_FORWARDED_FOR environment variable) about the
original requesting host will be believed.
When using a front-end proxy for Interchange, all requests appear to come
from that proxy, say 127.0.0.1 if on the same machine, which is effectively
the same as running WideOpen because sessions can be easily hijacked. This
offers a way to bring back a little discernment about what host we're
really dealing with.
Usage is identical to the RobotIP directive's, for example:
TrustProxy 127.0.0.1, 10.0.0.*
I'm not sure why anyone would want to do this, but it could also be used
with external HTTP proxies in general (which hopefully aren't lying), with
a simple 'TrustProxy *'.
Revision Changes Path
2.86 +3 -2 interchange/lib/Vend/Config.pm
rev 2.86, prev_rev 2.85
Index: Config.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Config.pm,v
retrieving revision 2.85
retrieving revision 2.86
diff -u -u -r2.85 -r2.86
--- Config.pm 12 Dec 2002 03:16:42 -0000 2.85
+++ Config.pm 13 Dec 2002 04:45:17 -0000 2.86
@@ -1,6 +1,6 @@
# Vend::Config - Configure Interchange
#
-# $Id: Config.pm,v 2.85 2002/12/12 03:16:42 mheins Exp $
+# $Id: Config.pm,v 2.86 2002/12/13 04:45:17 jon Exp $
#
# Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
#
@@ -45,7 +45,7 @@
use Vend::Util;
use Vend::Data;
-$VERSION = substr(q$Revision: 2.85 $, 10);
+$VERSION = substr(q$Revision: 2.86 $, 10);
my %CDname;
@@ -288,6 +288,7 @@
['TagDir', 'root_dir_array', 'code'],
['TemplateDir', 'root_dir_array', ''],
['DomainTail', 'yesno', 'Yes'],
+ ['TrustProxy', 'list_wildcard_full', ''],
['AcrossLocks', 'yesno', 'No'],
['RobotUA', 'list_wildcard', ''],
['RobotIP', 'list_wildcard_full', ''],
2.24 +26 -2 interchange/lib/Vend/Server.pm
rev 2.24, prev_rev 2.23
Index: Server.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Server.pm,v
retrieving revision 2.23
retrieving revision 2.24
diff -u -u -r2.23 -r2.24
--- Server.pm 24 Nov 2002 05:36:07 -0000 2.23
+++ Server.pm 13 Dec 2002 04:45:17 -0000 2.24
@@ -1,6 +1,6 @@
# Vend::Server - Listen for Interchange CGI requests as a background server
#
-# $Id: Server.pm,v 2.23 2002/11/24 05:36:07 mheins Exp $
+# $Id: Server.pm,v 2.24 2002/12/13 04:45:17 jon Exp $
#
# Copyright (C) 1996-2002 Red Hat, Inc. <interchange@redhat.com>
#
@@ -25,7 +25,7 @@
package Vend::Server;
use vars qw($VERSION);
-$VERSION = substr(q$Revision: 2.23 $, 10);
+$VERSION = substr(q$Revision: 2.24 $, 10);
use POSIX qw(setsid strftime);
use Vend::Util;
@@ -116,6 +116,30 @@
${"CGI::$field"} = $cgivar->{$cgi} if defined $cgivar->{$cgi};
#::logDebug("CGI::$field=" . ${"CGI::$field"});
}
+
+ # try to get originating host's IP address if request was
+ # forwarded through a trusted proxy
+ my $ip;
+ if ($Global::TrustProxy
+ and ($CGI::remote_addr =~ $Global::TrustProxy
+ or $CGI::remote_host =~ $Global::TrustProxy)
+ and $ip = $cgivar->{HTTP_X_FORWARDED_FOR}) {
+ # trim off intermediate proxies in comma-separated list
+ $ip =~ s/,.*//;
+ $ip =~ s/^\s+//; $ip =~ s/\s+$//;
+ if ($ip =~ /^\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?$/) {
+ $CGI::remote_addr = $ip;
+ undef $CGI::remote_host;
+ }
+ else {
+ ::logGlobal(
+ { level => 'info' },
+ "Unknown HTTP_X_FORWARDED_FOR header set from trusted proxy %s: '%s'",
+ $CGI::remote_addr,
+ $cgivar->{HTTP_X_FORWARDED_FOR},
+ );
+ }
+ }
}
sub log_http_data {