From: Eric Covener <covener@apache.org>
Date: Tue, 22 Sep 2015 18:11:35 +0000 (+0000)
Subject: add warnings and emphasize the defaults for trusted non-internal proxies)
X-Git-Tag: 2.5.0-alpha~2817
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=344a42289a3cc7dd85aabecb420417d92338dd55;p=thirdparty%2Fapache%2Fhttpd.git

add warnings and emphasize the defaults for trusted non-internal proxies)



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1704683 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_remoteip.xml b/docs/manual/mod/mod_remoteip.xml
index 27d04cba827..40ecd390b3e 100644
--- a/docs/manual/mod/mod_remoteip.xml
+++ b/docs/manual/mod/mod_remoteip.xml
@@ -113,9 +113,12 @@ via the request headers.
     <var>header-field</var> header as the useragent IP address, or list
     of intermediate useragent IP addresses, subject to further configuration
     of the <directive module="mod_remoteip">RemoteIPInternalProxy</directive> and
-    <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> directives.  Unless these
-    other directives are used, <module>mod_remoteip</module> will trust all
-    hosts presenting a <directive module="mod_remoteip">RemoteIPHeader</directive> IP value.</p>
+    <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> directives.</p>
+
+    <note type="warning"> Unless these other directives are used, <module>mod_remoteip</module> 
+    will trust all hosts presenting a non internal address in the 
+    <directive module="mod_remoteip">RemoteIPHeader</directive> header value.
+    </note>
 
     <example><title>Internal (Load Balancer) Example</title>
     <highlight language="config">
@@ -213,20 +216,26 @@ RemoteIPProxiesHeader X-Forwarded-By
 
 <directivesynopsis>
 <name>RemoteIPTrustedProxy</name>
-<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
+<description>Restrict client IP addresses trusted to present the RemoteIPHeader value</description>
 <syntax>RemoteIPTrustedProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</syntax>
 <contextlist><context>server config</context><context>virtual host</context></contextlist>
 
 <usage>
-    <p>The <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> directive adds one
-    or more addresses (or address blocks) to trust as presenting a valid
-    RemoteIPHeader value of the useragent IP.  Unlike the
-    <directive module="mod_remoteip">RemoteIPInternalProxy</directive> directive, any intranet
+    <p>The <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> 
+    directive restricts which peer IP addresses (or address blocks) will be
+    trusted to present  a valid RemoteIPHeader value of the useragent IP.</p>
+  
+    <p> Unlike the <directive module="mod_remoteip">RemoteIPInternalProxy</directive> directive, any intranet
     or private IP address reported by such proxies, including the 10/8, 172.16/12,
     192.168/16, 169.254/16 and 127/8 blocks (or outside of the IPv6 public
     2000::/3 block) are not trusted as the useragent IP, and are left in the
     <directive module="mod_remoteip">RemoteIPHeader</directive> header's value.</p>
 
+    <note type="warning">By default, <module>mod_remoteip</module> will trust 
+    all hosts presenting a non internal address in the 
+    <directive module="mod_remoteip">RemoteIPHeader</directive> header value.
+    </note>
+
     <example><title>Trusted (Load Balancer) Example</title>
         <highlight language="config">
 RemoteIPHeader X-Forwarded-For
@@ -239,7 +248,7 @@ RemoteIPTrustedProxy proxy.example.com
 
 <directivesynopsis>
 <name>RemoteIPTrustedProxyList</name>
-<description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
+<description>Restrict client IP addresses trusted to present the RemoteIPHeader value</description>
 <syntax>RemoteIPTrustedProxyList <var>filename</var></syntax>
 <contextlist><context>server config</context><context>virtual host</context></contextlist>