Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Dev
The SERVER_ADDR environment variable
andrenth at gmail
Apr 11, 2014, 6:34 AM
Post #1 of 11 (33872 views)
Permalink
Hello

I'm trying to protect a webserver from DDoS attacks. The plan for this is
to not publish its IP address anywhere public. DNS records point to a CDN
service like CloudFlare. The CDN will sync to the webserver via a random
entry in the zone, making it "undiscoverable".

The issue I'm facing is that a malicious user would still be able to find
the real server address via Apache's SERVER_ADDR environment variable, eg.
from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
unset it, but apparently this is not possible. I believe writing a module
to do just that won't work either, since as I understand it, the variable
is set after all modules are processed.

Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
could work on a patch to do this if the idea is considered valid.

Thanks in advance,
Andre
Re: The SERVER_ADDR environment variable [ In reply to ]
h.reindl at thelounge
Apr 11, 2014, 6:52 AM
Post #2 of 11 (33846 views)
Permalink
Am 11.04.2014 15:34, schrieb Andre Nathan:
> I'm trying to protect a webserver from DDoS attacks. The plan for this is to not publish its IP address anywhere
> public. DNS records point to a CDN service like CloudFlare. The CDN will sync to the webserver via a random entry
> in the zone, making it "undiscoverable".
>
> The issue I'm facing is that a malicious user would still be able to find the real server address via Apache's
> SERVER_ADDR environment variable, eg. from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
> unset it, but apparently this is not possible. I believe writing a module to do just that won't work either, since
> as I understand it, the variable is set after all modules are processed.
>
> Would it be a good idea to allow SERVER_ADDR to optionally not be set? I could work on a patch to do this if the
> idea is considered valid.

IMHO the wrong or a too complicated way with possible side-effects

* if your IP address is not public reachable it nedds not to be protectcted
* so block any incoming request to that IP from outside
* allow only the rerverse proxy / CDN limited access on the network layer

results in maybe somebody knows the IP which means he does not know
much more than i have 127.0.0.1 and a 192.168.x.x subnet

consider that it needs a malicious user with already access, really interested
in that information, any clue what do with that information and finally if
knowing a specific IP address opens whatever attack the problem is on a
deeper level because even place it on the homepage should not do any harm

otherwise all servers out there with their real IP in DNS would have a problem

Attached Files:

Re: The SERVER_ADDR environment variable [ In reply to ]
covener at gmail
Apr 11, 2014, 7:01 AM
Post #3 of 11 (33837 views)
Permalink
> Would it be a good idea to allow SERVER_ADDR to optionally not be set? I
> could work on a patch to do this if the idea is considered valid.

I think it's a reasonable switch to add, for the concern of
inadvertent disclosure from a script. Maybe just an environment
variable or note rather than a directive since that directive would be
in the core.

It may be overkill, but it would be more useful if there were a hook
that permitted someone to cleanup after
ap_add_common_vars/ap_add_cgi_vars but that is a little tricky.
Re: The SERVER_ADDR environment variable [ In reply to ]
andrenth at gmail
Apr 11, 2014, 11:28 AM
Post #4 of 11 (33848 views)
Permalink
On Fri, Apr 11, 2014 at 11:01 AM, Eric Covener <covener@gmail.com> wrote:
>
> I think it's a reasonable switch to add, for the concern of
> inadvertent disclosure from a script. Maybe just an environment
> variable or note rather than a directive since that directive would be
> in the core.
>

Thanks. I submitted a feature request (#56395) with two implementations
(one using a core directive and one using an environment variable).

Best,
Andre
Re: The SERVER_ADDR environment variable [ In reply to ]
covener at gmail
Apr 11, 2014, 11:31 AM
Post #5 of 11 (33843 views)
Permalink
On Fri, Apr 11, 2014 at 12:28 PM, Andre Nathan <andrenth@gmail.com> wrote:
> On Fri, Apr 11, 2014 at 11:01 AM, Eric Covener <covener@gmail.com> wrote:
>>
>> I think it's a reasonable switch to add, for the concern of
>> inadvertent disclosure from a script. Maybe just an environment
>> variable or note rather than a directive since that directive would be
>> in the core.
>
>
> Thanks. I submitted a feature request (#56395) with two implementations (one
> using a core directive and one using an environment variable).

Should have been more clear, I meant a per-request environment
variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one


--
Eric Covener
covener@gmail.com
Re: The SERVER_ADDR environment variable [ In reply to ]
andrenth at gmail
Apr 11, 2014, 12:00 PM
Post #6 of 11 (33835 views)
Permalink
On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener <covener@gmail.com> wrote:
>
> Should have been more clear, I meant a per-request environment
> variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one
>

I have a working patch for this too, but this would allow a user to use
UnsetEnv in his .htaccess and override the global behavior. Wouldn't it be
best if this couldn't be changed via .htaccess?

Best,
Andre
Re: The SERVER_ADDR environment variable [ In reply to ]
covener at gmail
Apr 11, 2014, 12:05 PM
Post #7 of 11 (33836 views)
Permalink
On Fri, Apr 11, 2014 at 1:00 PM, Andre Nathan <andrenth@gmail.com> wrote:
> On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener <covener@gmail.com> wrote:
>>
>> Should have been more clear, I meant a per-request environment
>> variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one
>
>
> I have a working patch for this too, but this would allow a user to use
> UnsetEnv in his .htaccess and override the global behavior. Wouldn't it be
> best if this couldn't be changed via .htaccess?

Duh, you're right. Makes a good case for the directive (or hook +
separate module but that's overkill)
Re: The SERVER_ADDR environment variable [ In reply to ]
trawick at gmail
Apr 11, 2014, 12:15 PM
Post #8 of 11 (33840 views)
Permalink
On Fri, Apr 11, 2014 at 3:00 PM, Andre Nathan <andrenth@gmail.com> wrote:

> On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener <covener@gmail.com> wrote:
>>
>> Should have been more clear, I meant a per-request environment
>> variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one
>>
>
> I have a working patch for this too, but this would allow a user to use
> UnsetEnv in his .htaccess and override the global behavior. Wouldn't it be
> best if this couldn't be changed via .htaccess?
>
> Best,
> Andre
>

If the user is motivated to do that, is it because PHP (for example) at the
user's disposal does not otherwise have a way to obtain similar
information, or PHP has a way to block any other ways to find that?

--
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/
Re: The SERVER_ADDR environment variable [ In reply to ]
h.reindl at thelounge
Apr 11, 2014, 6:55 PM
Post #9 of 11 (33842 views)
Permalink
Am 11.04.2014 21:15, schrieb Jeff Trawick:
> On Fri, Apr 11, 2014 at 3:00 PM, Andre Nathan <andrenth@gmail.com <mailto:andrenth@gmail.com>> wrote:
>
> On Fri, Apr 11, 2014 at 3:31 PM, Eric Covener <covener@gmail.com <mailto:covener@gmail.com>> wrote:
>
> Should have been more clear, I meant a per-request environment
> variable from r->subprocess_env (SetEnvIf/SetEnv) not a native one
>
>
> I have a working patch for this too, but this would allow a user to use UnsetEnv in his .htaccess and override
> the global behavior. Wouldn't it be best if this couldn't be changed via .htaccess?
>
> Best,
> Andre
>
>
> If the user is motivated to do that, is it because PHP (for example) at the user's disposal does not otherwise have
> a way to obtain similar information, or PHP has a way to block any other ways to find that?

simply list "getenv" in "disable_functions", put <?php $_SERVER['SERVER_ADDR']='';?>
in a file listed in "auto_prepend_file" and you are done, no need to touch httpd for
that and in case of security by obscurity allow to remove the "Server" header and hide
what webserver you are running would have more benefit

Attached Files:

Re: The SERVER_ADDR environment variable [ In reply to ]
andrenth at gmail
Apr 14, 2014, 5:05 AM
Post #10 of 11 (33831 views)
Permalink
On Fri, Apr 11, 2014 at 10:55 PM, Reindl Harald <h.reindl@thelounge.net>wrote:
>
> simply list "getenv" in "disable_functions", put <?php
> $_SERVER['SERVER_ADDR']='';?>
> in a file listed in "auto_prepend_file" and you are done, no need to touch
> httpd for
> that and in case of security by obscurity allow to remove the "Server"
> header and hide
> what webserver you are running would have more benefit
>

This is basically what I'm doing now, though from a PHP C extension (didn't
know about auto_prepend_file). Having a switch in Apache would allow a
language-agnostic solution though.
Re: The SERVER_ADDR environment variable [ In reply to ]
andrenth at gmail
Feb 25, 2022, 9:41 AM
Post #11 of 11 (7607 views)
Permalink
On Fri, Apr 11, 2014 at 10:34 AM Andre Nathan <andrenth@gmail.com> wrote:

> The issue I'm facing is that a malicious user would still be able to find
> the real server address via Apache's SERVER_ADDR environment variable, eg.
> from a PHP script. I tried using SetEnv / SetEnvIf to change it's value or
> unset it, but apparently this is not possible. I believe writing a module
> to do just that won't work either, since as I understand it, the variable
> is set after all modules are processed.
>

Sorry for reviving an ancient thread, but it could be useful for the
archives. I've just found out that this has been possible since 2.4.26
using ProxyFCGISetEnvIf.

Regards,
Andre

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal