Name

TrustProxy — designate certain IP addresses or hostnames as trusted HTTP proxies

SYNOPSIS

hostname...

DESCRIPTION

The directive allows Interchange administrator to designate certain IP addresses or hostnames as trusted HTTP proxies, whose claims (via the HTTP_X_FORWARDED_FOR environment variable set by the web server) about the original requesting host will be assumed truthful and accurate.

For example, if you are using a front-end proxy for Interchange, all requests will appear to come from the proxy address (say, 127.0.0.1 if on the same machine). In turn, all clients will appear as having the same source IP address (much like if you enabled WideOpen). Under such circumstances, user session hijacking becomes trivial enough that it can even happen by accident (if, say, someone copies an URL that includes his/her session cookie and gives it to others to visit — they all will end up having the same user info and shopping cart!).

Having said the above, TrustProxy takes a comma-separated list of IP addresses and/or hostnames (globbing possible - see examples) that are trusted proxies and whose value of HTTP_X_FORWARDED_FOR should be used as request source instead of the actual IP directly.

DIRECTIVE TYPE AND DEFAULT VALUE

Global directive

EXAMPLES

Example: Defining TrustProxy

TrustProxy 127.0.0.1 192.168.8.4

Example: Defining TrustProxy with "glob" values

TrustProxy 127.0.0.? 10.0.* 192.168.?.1

Example: Trusting all external proxies (a bad idea generally)

TrustProxy *

NOTES

"Globs" are * and ?. The * stands for any number of characters (including none), while ? stands for 1 character exactly.

The directive could, in general, be also used with external, untrusted HTTP proxies (which you can only hope aren't lying) by using a * glob (see examples).

Note that the environment variables are not modified in any way; only Interchange's idea of the remote host is altered, as you see with [data session host].

AVAILABILITY

TrustProxy is available in Interchange versions:

4.6.0-5.9.0 (git-head)

SOURCE

Interchange 5.9.0:

Source: lib/Vend/Config.pm
Line 484

['TrustProxy',     'list_wildcard_full', ''],

Source: lib/Vend/Config.pm
Line 3859 (context shows lines 3859-3863)

sub parse_list_wildcard_full {
my $value = get_wildcard_list(@_,1);
return '' unless length($value);
return qr/^($value)$/i;
}

AUTHORS

Interchange Development Group

SEE ALSO

WideOpen(7ic), IpHead(7ic), IpQuad(7ic), Mall(7ic)

DocBook! Interchange!