You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The mod_proxy module currently supports "foreign addresses" in its client connections to backend servers when the AllowForeignAddress directive is used:
<IfModule mod_proxy.c>
ProxyEngine on
# Allow mismatches in addresses for backend data transfers
AllowForeignAddress on
...
</IfModule>
However, this configurable has the disadvantage of allowing mismatched addresses for frontend data transfers as well. Ideally, the policy for mismatched addresses for data transfers would be separate for frontend vs backend connections.
Thus the goal of this ticket is modify mod_proxy, such that it does not look at/use the existing AllowForeignAddress directive, but instead will use e.g.ProxyOptions AllowForeignAddress.
Consider this use case/flow:
frontend client <-- passive data transfer --> proxy <-- active data transfer --> backend server
And the control connection IP address for the backend server does not match its source IP address for that active data connection; this might happen in a Kubernetes cluster, for example.
The text was updated successfully, but these errors were encountered:
Actually, I don't believe that the AllowForeignAddress is used by mod_proxy for backend connections at all; it's only used/honored for frontend connections (as expected).
Thus this issue is more of a feature request, to add such policy constraints for backend connections; currently mod_proxy does not check/care if the source address for a backend active transfer matches the backend control connection address.
Let's see how such a ProxyOption AllowForeignAddress might work, for backend data transfers.
For active backend data transfers, mod_proxy would see that the remote IP address for the backend's data transfer connection might not match the backend IP address of the control connection.
For passive backend data transfers, mod_proxy would see that the IP address in the backend's EPSV/PASV response might not match the backend IP address of the control connection.
Are there use cases where mod_proxyshould be enforcing/complaining of such address mismatches currently?
The
mod_proxy
module currently supports "foreign addresses" in its client connections to backend servers when theAllowForeignAddress
directive is used:However, this configurable has the disadvantage of allowing mismatched addresses for frontend data transfers as well. Ideally, the policy for mismatched addresses for data transfers would be separate for frontend vs backend connections.
Thus the goal of this ticket is modify
mod_proxy
, such that it does not look at/use the existingAllowForeignAddress
directive, but instead will use e.g.ProxyOptions AllowForeignAddress
.Consider this use case/flow:
And the control connection IP address for the backend server does not match its source IP address for that active data connection; this might happen in a Kubernetes cluster, for example.
The text was updated successfully, but these errors were encountered: