Re: Web access lists and http 1.1 ?

From: Jonathan Larmour <[email protected]>
Date: Thu, 28 Nov 1996 20:54:02 +0000

At 19:53 28/11/96 +0000, James R Grinter wrote:
>On Thu 28 Nov, 1996, Duane Wessels <wessels@nlanr.net> wrote:
>>Steve.Green@its.csiro.au writes:
>>>I've been looking into this "forwarded by ... for ... " header business
>>>with the proposed http 1.1 standard.
>>>
>>>How will web server access list security be done if clients come through
>>>a http 1.1 cache?
>>
>>I am planning to add a header named "X-Forwarded-For:" which will be a
>>list of client IP addresses seen through the request chain. e.g., each
>
[snip 8< ]
>If someone's using a remote cache, you couldn't trust the IP/name type
>information that would be passed to you anyway so it doesn't matter
>that there's none provided.

As well as the possibility of it being deliberately spoofed, there's also
the problem that many proxies will still be only for HTTP/1.0, and so if
e.g. this is the first proxy a client goes through, we'll lose the info.

I think the idea of access list security with Forwarded For/Via is not
feasible until HTTP/1.1 has been adopted just about everywhere. Only then
can we prevent spoofing by checking that getpeername() is listed in the
headers as the last "hop". A bit like Received: in mail.

Jonathan L.
Origin IT Services Ltd., 323 Cambridge Science Park, Cambridge, England.
Tel: +44 (1223) 423355 Fax: +44 (1223) 420724 E-mail: guess...
-------[ Do not think that every sad-eyed woman has loved and lost... ]------
-----------------------[ she may have got him. -Anon ]-----------------------
These opinions are all my own fault.
Received on Thu Nov 28 1996 - 13:05:00 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:33:40 MST