> De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Enviado el: 30 de agosto de 2002 20:50 > Para: Tomcat Developers List > Asunto: RE: Spec question: RE BUG 12052
> The server may have 2 ip addresses, one visible from outside and one > restricted by firewalls to only internal users ( and used for example > for content updates ). > > In servlet 2.2 and 2.3, it is perfectly valid to use getServerName() > and get the address that received the request. Since the servlet :), I need to announce that TC is not behaving this way since 2 years ago or more, getServerName and getServerPort relies in the Host header :)), so one never knows if the adapter where the request was received is one or another.. only that the user seems to request some Host: or another.. of course there are ways ( at least in 4.X ) to get to know that a request comes exactly from one address, but they are config tricks.. > spec doesn't provide any 'declarative' support for this kind of > access control - I think this is a valid solution. A firewall or > routing can protect the internal address ( say 10.0.0.1 - on a network > card connected only to the internal net, and a firewall restricting > outside access to this IP ). In 2.4 this will fail ( opening potential > holes ) and in addition this kind of check will be impossible to > implement - since the address where the request was received will > no longer be available. What 2.4 is trying to specify, is what TC is doing right now, and i agree that the definition open some holes, when TC is behind a webserver, it must be the webserver who decides which are the actual servername and port is, not TC.. Back to the roots, the only use the Host: header has is to select a particular VS, and to get back to the original Request uri ( module encode problems of course :) that was typed by the user, for example to form a correct Location: header in case a 301.. For the second use, clearly Apache does what it suppoussed todo, and more, it documents his behavior in the httpd.conf file " # UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables. # When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the # ServerName directive. # UseCanonicalName Off " :) For the VS Matching, apache2 just uses the name ( for name based VS there is no other way to do it ), but not the port supplied ( Just tested ), the port for a VS match in A2 has to be the real socket port.. but never the name can be other than the supplied, cheated or not.. Anyway i have some doubts with the 2.4 spec definition, maybe is too hard to tie this info in the API to the one present in the Host: header, and probably the good behavior is to distinguish if the request comes from the Standalone connector or not, in the case the request comes from SC follow A2 strategies, adding our own "UseCanonicalName" and so on, but trust A2 ( or IIS or whatever ) if used behind them Saludos , Ignacio J. Ortega -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
