1. Yep 2. I see multiple possible answers as well...
3. ... and the 0,1,2-style config having either default sounds OK. Regarding 1)2), Could we resolve and then check if the address is a loopback address? 3) Hmm, not sure about the use of *cast addresses either. 4) The VIP deployment I'm used to will actually set up the host such that the VIP name resolves to the loopback address, so the above works. That might not be good enough for all deployments though. On Mon, Aug 6, 2018 at 6:16 PM, Leif Hedstrom <zw...@apache.org> wrote: > > > > On Aug 6, 2018, at 4:50 PM, Alan Carroll <solidwallofc...@oath.com.INVALID> > wrote: > > > > 1. Yes. > > Agreed. > > > > > 2. I think a 403 > > I can go either way. The HTTP way would be to just return the Location as > is (i.e. retain the redirect), following redirects is a little unorthodox. > Maybe since we are adding new configuration(s), maybe make it such that the > behavior can be configurable either way? > > Depending on if we add another configuration, or add on to the existing > one, I’m thinking something in the line of > > 0 - Always allow follow redirect > 1 - Allow follow redirect, but return the normal redirect if it’s > for localhost > 2 - Allow follow redirect, but give a 403 if it's to localhost > > > My vote would be for 1) to be the default, but I can live with 2) as well. > > Question: The notion of “localhost” is a little vague here… I think > there’s a number of other ways to reach “localhost”, rather than just > localhost/127.0.0.1: > > 1) FQDNs > 2) One of the possibly many IPs that are local to the box, > including IPv6 link-locals > 3) Possibly some broadcast or multicast addresses?? > 4) The upstream VIP IP that might point back to the box(es) > > I think there are many ways that someone could make a follow redirect loop > back to itself, or a peering proxy. > > Cheers, > > — Leif > > -- Derek
