Dear Luke, On Nov 16, 1:12 pm, Luke Plant <l.plant...@cantab.net> wrote: > It's not obvious what you are asking. We removed the > SetRemoveAddrFromForwardedFor middleware for reasons described here: > http://docs.djangoproject.com/en/dev/releases/1.1/#removed-setremoteaddrfromforwardedfor-middleware
Thank you for plowing through my previous message; I'm not sure I'm fully aware of the reasons why it was replaced, but I read those release notes and these: * http://code.djangoproject.com/ticket/3872 * http://bob.pythonmac.org/archives/2005/09/23/apache-x-forwarded-for-caveat/ * http://code.djangoproject.com/ticket/9064 I think I can trust the X-Forwarded-For header added by my own proxy, and any X-Forwarded-For header added inside my infraestructure. I cannot trust the X-Forwarded-For headers already submitted by the client. I know that when a request arrives at a Django instance, it traversed these addresses: * end-user internal-IP * end-user "outside" address -- as seen by my proxy! * my own proxy Which is why the middleware I wrote above only considers pop()'ing the proxy stack as far as the addresses match the proxy-chain configured in ``settings.PROXY_CHAIN``. The first unmatching address gets into REMOTE_ADDR. > Are you asking for your middleware to go in to core to replace it? I thought I'd have a go at it, since I have this particular itch to scratch. As I said, SMTP has to deal with the same problem, and the way you do it is by: a) having a trusted list, and inspecting the first-untrusted address added by your own trusted relay. b) having the outside-facing machine remove any X-Real-Client-IP header and adding one herself with the REMOTE_ADDR as seen from her point of view. I chose a), altough Apache can be used / abused to do the X-Real- Client-IP trick. The code already Works On My Machine, but I need someone to test if it works when you have double internal proxying like: * <external-proxy> * <localhost-proxy> * <django-http> If we can reach a rough consensus, I'll clean up the code a bit and try my hand at some unittesting. Thank you, and kind regards, -- Luis Bruno -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-develop...@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
