Named listen addresses in VCL
Dridi Boukelmoune
dridi at varni.sh
Mon Jul 4 17:31:25 CEST 2016
> TCP/IP doesn't really work that way, in particular people forget that
> packets may take different routes forth and back.
>
> As best as I can tell, all your proposed uses would open you up to
> rather trivial attacks, given a single compromised machine anywhere
> in your DMZ.
I don't understand, the use cases I'm suggesting are as "unsafe" as
relying on ACLs with either client.ip or server.ip.
I'm suggesting making the alternative to ACLs more convenient, by not
having to match addresses or extract the port number with std.port()
and relying on an abstract name instead.
You have the same problem if anything matching one of your ACLs
trusted address is compromised.
Dridi
More information about the varnish-dev
mailing list