On 31/01/2011 21:54, Henri Gomez wrote: >> Not necessarily. The closest immediate proxy is the last entry in that >> list. You might not trust all of the machines in that proxy chain to provide >> legitimate IP details. > > In my case, x-forwarded-for: 1.2.3.4, 10.122.47.36, 1.2.3.4 was my > browser IP and 10.122.47.36 EC2 IP. > > the Valve is not activated by default and should only be used in > Amazon Load Balancing case. > >> mod_remoteip has the concept of trusted vs. untrusted proxies, where only the >> trusted ones will be allowed to present the next-immediate-left IP address as >> a legitimate proxy address, and that IP is then compared to the trust list. > >> So you might trust yahoo or google's proxy servers, but not your typically >> pwned user PC which is relaying spam or being employed as a DDoS agent. > > x-forwarded-server: domU-12-31-38-00-B2-08.compute-1.internal is a > trusted server, aka EC2 box. > > So +1 to have this on RemoteIpFilter/Valve, an uniq filter/valve to > handle such cases. > Mark to you need code contribution on RemoteIp Valve ?
Patches to RemoteIpFilter/Valve are the place to start. The issue of trusted proxies are already handled so the patches should be able to take advantage of that. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
