As an aside, is anyone talking about seriously using this for access control? We've established that using X-F-F is a bad idea for that, in fact, I'd say that even known REMOTE_ADDR based auth is a bad idea, so why does it matter whether it is "trustworthy"?
Anyway - I use X-F-F for IP geolocation, so I want the address to the farthest left. Just to illustrate the spoofing scenario: I sent X-Forwarded-For: 66.66.66.66 to my server (LB, then mod_proxy) so it receives the following in the end: (unless configured to do otherwise) X-Forwarded-For: 66.66.66.66, 24.152.161.x, 127.0.0.1 otherwise it would have resulted in X-Forwarded-For: 24.152.161.x, 127.0.0.1 Obviously IP geolocation is very unreliable, but I definitely want the farthest left IP. If it's private, I still want it so I don't bother to geolocate - because the geolocation will be worthless anyway as the proxy is often located somewhere else entirely and I don't want to show the user that incorrect location. Likewise, if it's faked, I really don't care either. If I wanted what my _proxy_ saw as the REMOTE_ADDR, then this middleware would need to be implemented using the x_forwarded_for.split(",")[-NUMBER_OF_TRUSTED_PROXY_SERVERS].strip() method suggested by Leo. After rethinking this, I believe the interpretation of this header is very much application-specific, so I'd suggest something with the following effect to maintain compatibility and satisfy those that want the client to the farthest out LB/rev proxy: def __init__(self): self.proxies = getattr(settings, 'NUM_TRUSTED_PROXIES', 0) def process_request(self, request): try: real_ip = request.META['HTTP_X_FORWARDED_FOR'] except KeyError: return None else: real_ip = real_ip.split(",")[-self.proxies].strip() request.META['REMOTE_ADDR'] = real_ip ~chris On Sep 20, 4:08 pm, "Leo Soto M." <[EMAIL PROTECTED]> wrote: > On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote: > > > > > A quick Google search turns up that this is indeed easily configurable > > for both Squid and mod_proxy and the defaults look sane. > > What are those defaults?. > > My google-foo is very low today, and I only arrived at the squid > FAQ[1], which says "We must note that access controls based on this > header are extremely weak and simple to fake. Anyone may hand-enter a > request with any IP address whatsoever[...]". > > And the mod_proxy page dind't help either, it just says: "Be careful > when using these headers on the origin server, since they will contain > more than one (comma-separated) value if the original request already > contained one of these headers." > > [1]http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-3518b69c63... > [2]http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers > -- > Leo Soto M. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---