[Tickets #6133] Re: don't blindly trust x-forwarded-for
bugs at horde.org
bugs at horde.org
Wed Jan 23 11:57:43 UTC 2008
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=6133
-----------------------------------------------------------------------
Ticket | 6133
Updated By | uhlar at fantomas.sk
Summary | don't blindly trust x-forwarded-for
Queue | Horde Framework Packages
Version | FRAMEWORK_3
Type | Bug
State | Feedback
Priority | 1. Low
Milestone |
Patch |
Owners |
-----------------------------------------------------------------------
uhlar at fantomas.sk (2008-01-23 06:57) wrote:
The most important part for me is that the IP in horde logs and mail
headers should match. When our users log to horde, only conecting IP is
logged and only forwarded IP put into headers, which makes searching very
difficult.
Providing both proxy and forwarded_for IP's is OK, but forwarded IP is
imho only useful if scripts will track trusted proxies as I described
(squid's forwarded_for patch does the same). This requires list of trusted
proxies/networks as horde/imp configuration option.
Another option is to put all IP's of X-Forwarded-For: line to mail, as
special header (X-Forwarded-For) or list of Received: headers (this could
be very useful for spam checkers). If not all, at least the trusted
forwarded IP should be imho there, adding proxy is useful too.
Personally I would set up function for parsing client IP and
x-forwarded-for to provide 1-2 (last and first trusted) IP addresses, which
would be added to logged informations etc
More information about the bugs
mailing list