[Opensim-dev] Validating IP and Region

Haravikk opensim at haravikk.me
Mon Jul 24 16:51:46 UTC 2017 

> On 24 Jul 2017, at 13:57, Melanie Thielker <melanie at t-data.com> wrote:
> 
> Hi,
> 
> there is no point in trying to do that because the grid services are
> so varied in scope and can be behind reverse proxies, etc.

Reverse proxies shouldn't be a problem; if a grid is behind one it should still receive the request for IP/region confirmation as normal (just as you can login etc. as normal). If the web-service is behind one then usually they will still be passed Forward-For and related headers from which it can get the source IP (apache and nginx can do this automatically so you don't have to do it in your app-code).

If a simulator is proxied in such a way that the source IP that the web-service sees doesn't match what the grid is willing to verify, then that's precisely the kind of suspicious case I'd like to be able to detect. For my own web-services this alone won't be enough to block access, but will cause the requests to be handled as "untrusted", either requiring some authentication, or limiting what can be done.

> IP has not been a security factor for a long time, since today many
> different services, not all from the same provider, share an IP.

My intent isn't to use it as absolute security; just to get some assurance that a request is actually coming from where it says it does.

> Your best approach is therefore to create HTTPS connections and do
> authentication within this secure wrapper using anything from a
> simple password to a full PKI setup, depending on the security level
> required.

For anything sensitive I absolutely still intend to use session keys to keep track of authenticated devices, but I'd still like to be able to validate that information being sent in the request is true. It's not an either/or, the capability for both can absolutely exist.

The question IMO isn't whether a callback would work, as it absolutely should, the question is how best to implement it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20170724/07cbce8d/attachment-0001.html>

More information about the Opensim-dev mailing list