I think it obvious the ultimate check should be "is the upstream address a loopback address?". Textual comparisons are going to get hacked, we must check the actual IP address that will be used.
On Mon, Aug 6, 2018 at 7:25 PM Derek Dagit <der...@oath.com.invalid> wrote: > 1. Yep > > 2. I see multiple possible answers as well... > > 3. ... and the 0,1,2-style config having either default sounds OK. > > Regarding 1)2), Could we resolve and then check if the address is a > loopback address? > 3) Hmm, not sure about the use of *cast addresses either. > 4) The VIP deployment I'm used to will actually set up the host such > that the VIP name resolves to the loopback address, so the above works. > That might not be good enough for all deployments though. > > On Mon, Aug 6, 2018 at 6:16 PM, Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > On Aug 6, 2018, at 4:50 PM, Alan Carroll <solidwallofc...@oath.com > .INVALID> > > wrote: > > > > > > 1. Yes. > > > > Agreed. > > > > > > > > 2. I think a 403 > > > > I can go either way. The HTTP way would be to just return the Location as > > is (i.e. retain the redirect), following redirects is a little > unorthodox. > > Maybe since we are adding new configuration(s), maybe make it such that > the > > behavior can be configurable either way? > > > > Depending on if we add another configuration, or add on to the existing > > one, I’m thinking something in the line of > > > > 0 - Always allow follow redirect > > 1 - Allow follow redirect, but return the normal redirect if it’s > > for localhost > > 2 - Allow follow redirect, but give a 403 if it's to localhost > > > > > > My vote would be for 1) to be the default, but I can live with 2) as > well. > > > > Question: The notion of “localhost” is a little vague here… I think > > there’s a number of other ways to reach “localhost”, rather than just > > localhost/127.0.0.1: > > > > 1) FQDNs > > 2) One of the possibly many IPs that are local to the box, > > including IPv6 link-locals > > 3) Possibly some broadcast or multicast addresses?? > > 4) The upstream VIP IP that might point back to the box(es) > > > > I think there are many ways that someone could make a follow redirect > loop > > back to itself, or a peering proxy. > > > > Cheers, > > > > — Leif > > > > > > > -- > Derek > -- *Beware the fisherman who's casting out his line in to a dried up riverbed.* *Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.* *It's easier that way. *- Genesis : Duke : VI 25-28
