[docs] docs - jon modified icconfig.sdf
docs@icdevgroup.org
docs@icdevgroup.org
Sat Dec 14 13:02:00 2002
User: jon
Date: 2002-12-14 18:01:11 GMT
Modified: . icconfig.sdf
Log:
Document TrustProxy directive.
Revision Changes Path
1.78 +31 -2 docs/icconfig.sdf
rev 1.78, prev_rev 1.77
Index: icconfig.sdf
===================================================================
RCS file: /var/cvs/docs/icconfig.sdf,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -u -r1.77 -r1.78
--- icconfig.sdf 30 Oct 2002 17:24:00 -0000 1.77
+++ icconfig.sdf 14 Dec 2002 18:01:11 -0000 1.78
@@ -1,10 +1,10 @@
!init OPT_LOOK="icdevgroup"; OPT_STYLE="manual"
-# $Id: icconfig.sdf,v 1.77 2002/10/30 17:24:00 mheins Exp $
+# $Id: icconfig.sdf,v 1.78 2002/12/14 18:01:11 jon Exp $
!define DOC_NAME "Configuration Reference"
!define DOC_TYPE ""
!define DOC_CODE "icconfig"
-!define DOC_VERSION substr('$Revision: 1.77 $',11, -2)
+!define DOC_VERSION substr('$Revision: 1.78 $',11, -2)
!define DOC_STATUS "Draft"
!define DOC_PROJECT "Interchange"
!define DOC_URL "http://www.icdevgroup.org/doc/icconfig.html"
@@ -1035,6 +1035,35 @@
during a POST. Unfortunately this has to be a global setting because at URL
parse time, the Interchange daemon doesn't yet know which catalog it's dealing
with (due to catalog aliases, etc.).
+
+H2: TrustProxy *global*
+
+Allows the administrator to designate certain IP addresses or hostnames
+as trusted HTTP proxies, whose claims (via the HTTP_X_FORWARDED_FOR
+environment variable set by the web server) about the original requesting
+host will be assumed accurate.
+
+When using a front-end proxy for Interchange, all requests appear to come
+from that proxy, for example, perhaps 127.0.0.1 if on the same machine.
+This is effectively the same as running with WideOpen Yes, because all sessions
+will have the same user IP address and thus can be easily hijacked. Session
+hijacking can happen when someone unknowingly includes a session ID in a URL they
+send to other users, and all those users then end up with the same session
+and shopping cart!
+
+TrustProxy takes a comma-separated list of one or more IP addresses and/or
+hostnames, which may include wildcards (* for any number of characters,
+? for a single character). For example:
+
+E:TrustProxy 127.0.0.1, 10.0.0.*
+
+I'm not sure why anyone would want to do this, but it could also be used
+with external HTTP proxies in general (which you can only hope aren't lying),
+with a simple 'TrustProxy *'.
+
+Note that the environment variables are not modified in any way; only
+Interchange's idea of the remote host is altered, as you see with
+C<[data session host]>.
H2: UrlSepChar *global*