proftpd-mod_proxy icon indicating copy to clipboard operation
proftpd-mod_proxy copied to clipboard

Published 20 hours ago verified publisher icon Castaglia

Implement AllowForeignAddress ProxyOption

Open Castaglia opened this issue 3 years ago • 2 comments

The mod_proxy module currently supports "foreign addresses" in its client connections to backend servers when the AllowForeignAddress directive is used:

<IfModule mod_proxy.c>
  ProxyEngine on

  # Allow mismatches in addresses for backend data transfers
  AllowForeignAddress on
  ...
</IfModule>

However, this configurable has the disadvantage of allowing mismatched addresses for frontend data transfers as well. Ideally, the policy for mismatched addresses for data transfers would be separate for frontend vs backend connections.

Thus the goal of this ticket is modify mod_proxy, such that it does not look at/use the existing AllowForeignAddress directive, but instead will use e.g. ProxyOptions AllowForeignAddress.

Consider this use case/flow:

frontend client <-- passive data transfer --> proxy <-- active data transfer --> backend server

And the control connection IP address for the backend server does not match its source IP address for that active data connection; this might happen in a Kubernetes cluster, for example.

Castaglia avatar Mar 06 '21 16:03 Castaglia

Actually, I don't believe that the AllowForeignAddress is used by mod_proxy for backend connections at all; it's only used/honored for frontend connections (as expected).

Thus this issue is more of a feature request, to add such policy constraints for backend connections; currently mod_proxy does not check/care if the source address for a backend active transfer matches the backend control connection address.

Castaglia avatar Mar 06 '21 18:03 Castaglia

Let's see how such a ProxyOption AllowForeignAddress might work, for backend data transfers.

For active backend data transfers, mod_proxy would see that the remote IP address for the backend's data transfer connection might not match the backend IP address of the control connection.

For passive backend data transfers, mod_proxy would see that the IP address in the backend's EPSV/PASV response might not match the backend IP address of the control connection.

Are there use cases where mod_proxy should be enforcing/complaining of such address mismatches currently?

Castaglia avatar Mar 07 '21 19:03 Castaglia