> On Aug 6, 2018, at 4:50 PM, Alan Carroll <solidwallofc...@oath.com.INVALID>
> wrote:
>
> 1. Yes.
Agreed.
>
> 2. I think a 403
I can go either way. The HTTP way would be to just return the Location as is
(i.e. retain the redirect), following redirects is a little unorthodox. Maybe
since we are adding new configuration(s), maybe make it such that the behavior
can be configurable either way?
Depending on if we add another configuration, or add on to the existing one,
I’m thinking something in the line of
0 - Always allow follow redirect
1 - Allow follow redirect, but return the normal redirect if it’s for
localhost
2 - Allow follow redirect, but give a 403 if it's to localhost
My vote would be for 1) to be the default, but I can live with 2) as well.
Question: The notion of “localhost” is a little vague here… I think there’s a
number of other ways to reach “localhost”, rather than just localhost/127.0.0.1:
1) FQDNs
2) One of the possibly many IPs that are local to the box, including
IPv6 link-locals
3) Possibly some broadcast or multicast addresses??
4) The upstream VIP IP that might point back to the box(es)
I think there are many ways that someone could make a follow redirect loop back
to itself, or a peering proxy.
Cheers,
— Leif
