[stunnel-users] X-Forwarded-For / X-Forwarded-Proto
Michal Trojnara
Michal.Trojnara at mirt.net
Wed Feb 9 17:18:24 CET 2011
Stefan Behte wrote:
> I believe the overflow was fixed in the newer version of the patch I've
> attached.
I have briefly reviewed the patch and I couldn't find any vulnerabilities
indeed.
On the other hand its coding style makes my eyes bleed. 8-)
> IMHO the patch will still be very useful, even if it does not support
> keep-alive: often in high-performence setups keep-alive is not even
desired
> because it fills up ressources needlessly. Even if this does not provide
> all features, a lot of people would be satisfied with it.
>
> There is a great desire for this patch, if one searches for "stunnel
> x-forwarded-for" on google, you will find more than 60 pages and not
only a
> few dozens of blogs/mailing lists that discuss applying the patch and
> getting it to work as an SSL terminator for loadbalancing software.
This feature is on my TODO list for quite a long time.
http://stunnel.org/?page=sdf_todo
I guess some people use stunnel for expensive, high-performance clusters.
It seems strange that none of them decided to sponsor adding a clean
implementation with support for persistent HTTP connections. Maybe they
don't care.
BTW: Isn't it better to use non-local bind ("transparent=source") instead?
> If it's too much of a hassle for you to review and/or integrate the
patch,
> I can understand that very well, I'd just like to open a discussion and
> would like to know if you have concerns regarding the patch quality,
even
> if you do not want to include the patch at this time. :)
I'm not going to integrate the patch as it is. That's for sure.
Re-implementing the same functionality (i.e. without persistent HTTP
connections) seems to be quite simple, but the idea of adding a BOA (broken
on arrival) feature seems awkward to me.
Mike
More information about the stunnel-users
mailing list