1. Yes 2. 403 3. I like Lief’s proposal. You might want to add another option to add non-routable IPs to the list too. I would create a configuration option called proxy.config.http.redirect_enabled and start with 0 as off and set proxy.config.http.number_of_redirections to 1 as the default.
When checking for localhost you should resolve the ip and check to see if it matches any of the IPs on the server. That could be a long list if there servers has many IP aliases. This still doesn’t block IPs used by other servers in the same network. -Bryan > On Aug 6, 2018, at 5:25 PM, Derek Dagit <der...@oath.com.INVALID> wrote: > > 1. Yep > > 2. I see multiple possible answers as well... > > 3. ... and the 0,1,2-style config having either default sounds OK. > > Regarding 1)2), Could we resolve and then check if the address is a > loopback address? > 3) Hmm, not sure about the use of *cast addresses either. > 4) The VIP deployment I'm used to will actually set up the host such > that the VIP name resolves to the loopback address, so the above works. > That might not be good enough for all deployments though. > > On Mon, Aug 6, 2018 at 6:16 PM, Leif Hedstrom <zw...@apache.org> wrote: > >> >> >>> On Aug 6, 2018, at 4:50 PM, Alan Carroll <solidwallofc...@oath.com.INVALID> >> wrote: >>> >>> 1. Yes. >> >> Agreed. >> >>> >>> 2. I think a 403 >> >> I can go either way. The HTTP way would be to just return the Location as >> is (i.e. retain the redirect), following redirects is a little unorthodox. >> Maybe since we are adding new configuration(s), maybe make it such that the >> behavior can be configurable either way? >> >> Depending on if we add another configuration, or add on to the existing >> one, I’m thinking something in the line of >> >> 0 - Always allow follow redirect >> 1 - Allow follow redirect, but return the normal redirect if it’s >> for localhost >> 2 - Allow follow redirect, but give a 403 if it's to localhost >> >> >> My vote would be for 1) to be the default, but I can live with 2) as well. >> >> Question: The notion of “localhost” is a little vague here… I think >> there’s a number of other ways to reach “localhost”, rather than just >> localhost/127.0.0.1: >> >> 1) FQDNs >> 2) One of the possibly many IPs that are local to the box, >> including IPv6 link-locals >> 3) Possibly some broadcast or multicast addresses?? >> 4) The upstream VIP IP that might point back to the box(es) >> >> I think there are many ways that someone could make a follow redirect loop >> back to itself, or a peering proxy. >> >> Cheers, >> >> — Leif >> >> > > > -- > Derek
