On Tue, Aug 07, 2012 at 03:11:46PM +0200, Sébastien Bocahu wrote: > I don't want to. It was "allowed" until now, as X-Forwarded-For headers were > not > deleted by the reverse proxy.
By *some* reverse proxies. It depends on configuration. > I still think that many people are using Debian and mod_rpaf, and are not > deleting these headers. > Won't you do anything for them ? Don't let me wrong - it's real bug, not a feature. Of course, I'll try to prepare fix ASAP. Feel free to help with patch... > Agreed. Still, there's a bug Yep. > and this "solution" is - a "best practice" but - only a > workaround to this bug. It's more then just a workarround. It's a real fix in most cases. People should review configuration to use (nginx example) something like this: proxy_set_header X-Forwarded-For $remote_addr; instead of this: proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > * there are no words about it in the docs provided by Debian : May be we should add something... > * The bug is exposed by the ipv6 patch which has been applied by Debian. Yes, but this patch is just a trigger for the problem (garbage in r->connection->remote_ip). I don't think there is something wrong with patch itself. > I cannot reproduce the segfaults with upstream sources. > There is likely to be an issue with upstream code, but the NULL pointer > dereference has been introduced by Debian. Try to use host-based access control (directives allow/deny, etc). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
