Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement AllowForeignAddress ProxyOption #193

Open
Castaglia opened this issue Mar 6, 2021 · 2 comments
Open

Implement AllowForeignAddress ProxyOption #193

Castaglia opened this issue Mar 6, 2021 · 2 comments
Assignees
@Castaglia
Labels
Enhancement
Milestone
Future

Comments

@Castaglia
Copy link
Owner

Castaglia commented Mar 6, 2021
edited

The mod_proxy module currently supports "foreign addresses" in its client connections to backend servers when the AllowForeignAddress directive is used:

<IfModule mod_proxy.c>
  ProxyEngine on

  # Allow mismatches in addresses for backend data transfers
  AllowForeignAddress on
  ...
</IfModule>

However, this configurable has the disadvantage of allowing mismatched addresses for frontend data transfers as well. Ideally, the policy for mismatched addresses for data transfers would be separate for frontend vs backend connections.

Thus the goal of this ticket is modify mod_proxy, such that it does not look at/use the existing AllowForeignAddress directive, but instead will use e.g. ProxyOptions AllowForeignAddress.

Consider this use case/flow:

frontend client <-- passive data transfer --> proxy <-- active data transfer --> backend server

And the control connection IP address for the backend server does not match its source IP address for that active data connection; this might happen in a Kubernetes cluster, for example.
@Castaglia Castaglia self-assigned this Mar 6, 2021
@Castaglia Castaglia added this to the 0.8 milestone Mar 6, 2021
@Castaglia
Copy link
Owner Author

Actually, I don't believe that the AllowForeignAddress is used by mod_proxy for backend connections at all; it's only used/honored for frontend connections (as expected).

Thus this issue is more of a feature request, to add such policy constraints for backend connections; currently mod_proxy does not check/care if the source address for a backend active transfer matches the backend control connection address.

@Castaglia
Copy link
Owner Author

Let's see how such a ProxyOption AllowForeignAddress might work, for backend data transfers.

For active backend data transfers, mod_proxy would see that the remote IP address for the backend's data transfer connection might not match the backend IP address of the control connection.

For passive backend data transfers, mod_proxy would see that the IP address in the backend's EPSV/PASV response might not match the backend IP address of the control connection.

Are there use cases where mod_proxy should be enforcing/complaining of such address mismatches currently?

@Castaglia Castaglia modified the milestones: 0.8, Future Mar 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Castaglia Castaglia

Labels
Enhancement
Projects
None yet
Milestone
Future
Development

No branches or pull requests
1 participant
@Castaglia