-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 André,
On 1/8/15 5:07 PM, André Warnier wrote: > dmccrthy wrote: >> Chris, André, >> >> Many thanks. I hadn't considered either the MITM or Apache HTTPD >> angles. The proxy idea occurred to me (sorry, I had a typo in my >> original mail and that may not have been clear) but I agree it's >> messy. >> >> Many thanks again, I just couldn't find anything that said yes it >> can be done, or no it can't. A 3rd party feature request is a >> last resort so I had to find out if there was some >> under-the-bonnet way. I really appreciate your insights into >> this. >> > > No problem. > > For the sake of completeness, the only thing which made me > cautious about using an already-made proxy server such as Apache > httpd, is the question of the DNS lookups (or rather the "resolver" > in the machine itself), if you play with the fake entry in the > hosts file. Consider the following scenario : - the webapp in > question wants to connect to "server.company.com:8000" - to divert > this to your own local proxy, you define "server.company.com" in > the local hosts file as 127.0.0.1 (the localhost), and you set up a > local httpd to listen on 127.0.0.1:8000, to do the proxying. - thus > when the webapp builds its TCP connection to > "server.company.com:8000" - presumably by looking up > "server.company.com" first - it gets back (from the local OS's > resolver) the IP address 127.0.0.1, and builds a TCP connection to > 127.0.0.1. Then over that connection, it sends a HTTP 1.1 request > including a "Host: server.company.com" header. So far so good. - > your httpd proxy catches this connection and the request. - now the > proxy has itself to build a connection to the "real" > server.company.com. So it does a lookup (using the local OS's TCP > stack) for the IP address of "server.company.com", to build its own > connection to it. And.. it gets back 127.0.0.1 as an IP address > (because of course that lookup also looks in the local hosts file > first). > > That would be kind of a self-inflicted DOS attack, and it would be > interesting to see how quickly the proxy would blow up. An easy solution would be to put the proxy on a different machine. I hadn't thought of hosts+localhost = boom. Good catch. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUr+egAAoJEBzwKT+lPKRYawQQAKb14/7+pwOePtzOxSqVOAUN J33Vejmc0D1g1fWsondGenw+T5h7lEBfCNyWh6mL02JL2N5bPptHL3wScsdtiA+4 u+hrbhSrv/iO1LHGXNZxjVot0GeCCPLnKN8DLMqAquJqADOU+bcCjnqGrO3eTK/M Aw0rs83I7T+KIfEsIDYTagChdzNNqKbsqh28HJNQ4dNaSswnq15ecCgakUAVKbCI 4mGXXT/pC3v/lOKsI8m/vvo15cUv0Si/ptF1jr/4smQ+nbnNkg/ICmE/sdkPtVZj kU/T2V3jKXesv72U4g1m2nBHtLpYxUaHmupkaaY9ix3kgSfFq0vtHLw09qsKBlxG 8N/aW1QH/5korYRtze6vjNFZz+mKyiqrpbytvwbBH3rQbJz4ci71cqOm9cDByvEz pszb5wIzFwgB3IhJ2u7ZROH+30UYp4nfghEBWDPJ9Uxq5fmUwfmLR8PHX4AaQ9wO KA2XTcUVkE1WTNFQ4QbWYGXnr6Moaeuhxq3MhMkJ7awch57DPS0su4ViFtxNq7+Q LBG+S4sG5pWQRfBEg331XK7nnslHkUmn7YS7FojaCZMaY/b/ABwBGjlHCDTmfqAp 6WO/jjb2CHsBgOHDVrYeJkrtl2FflSo15IDMsNX8YX0MYQJQz9FB0sGAzXd6rZM/ z1dFLaN59dNMYYnill1G =rbNy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
