On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote: > > On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote: > > > > A quick Google search turns up that this is indeed easily configurable > > for both Squid and mod_proxy and the defaults look sane. > > What are those defaults?. > > My google-foo is very low today, and I only arrived at the squid > FAQ[1], which says "We must note that access controls based on this > header are extremely weak and simple to fake. Anyone may hand-enter a > request with any IP address whatsoever[...]". > > And the mod_proxy page dind't help either, it just says: "Be careful > when using these headers on the origin server, since they will contain > more than one (comma-separated) value if the original request already > contained one of these headers." >
Okay, so I'm partially right here. See: http://www.visolve.com/squid/squid26/accesscontrols.php#follow_x_forwarded_for Squid doesn't append to an existing x-f-f header by default, which seems sane. Turns out mod_proxy does blindly append and it's not configurable (I asked on irc.freenode.ne#apache and looked at the source.) Personally, I think since x-forwarded-for is a de facto standard because of Squid I would consider Squid's implementation the be one to follow and call this a bug in Apache. I didn't check perlbal or any other implementation. Of course, this is straying a bit from the original topic. I still think the middleware as reverted by Jacob is correct. Whether or not you trust REMOTE_ADDR to be the actual client IP after using the middleware is a matter of which proxy or proxies you use, how you have said proxies configured, and what you consider the client (machine connecting to trusted proxies or actual person surfing the web). If people feel this needs clarifying in the docs, I would be happy to work up a patch for the section on this middleware going into a bit more detail, but this could be a little overkill, given a warning already exists there. Cheers, deryck --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
