On Aug 3, 2007, at 7:03 AM, Torsten Foertsch wrote:

This idea won't work in general. First, not all proxies set an X- Forwarded-For header. Second, many proxies sit in front of private networks 10.0.0.0/8 or 172.16.0.0/16 or 192.168.0.0/16 or 127.0.0.0/8. If they set the header you get different clients with the same IP-address. Also, be aware that a request
can travel through multiple proxies. Thus, you can get multiple
X-Forwarded-For headers.

I'll go a step further, and say that this is a particularly bad idea. ( for essentially the same reasons above ).

The only proxy server headers you should care about or trust are those that are from your own LAN.

Your firewall/gateway/whatever should ideally strip the x-forwarded- for , or rename it to something else. xff should your internal lan marking. its trivial for people to spoof headers, its trivial for poorly designed networks to just insert inane headers as well.

Its not a matter of whether its feasable to access that information - its just that the information is worthless and not trustable simply by the design of the protocol and current global implementations.

in almost any case, using these will lead to issues in your system .


That said, for header manipulation, you can reference these module
        MP1     http://search.cpan.org/dist/Apache-ForwardedFor/
        MP2     http://search.cpan.org/dist/Apache2-xForwardedFor

note they both operate as a handler and override the info in $r ; you ESPECIALLY DO NOT want to do that in your case
        

// Jonathan Vanasco

Founder/President - FindMeOn
Fonder/CEO - RoadSound
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|      FindMeOn.com - The cure for Multiple Web Personality Disorder
|      Web Identity Management and 3D Social Networking
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|      RoadSound.com - Tools For Bands, Stuff For Fans
|      Collaborative Online Management And Syndication Tools
| - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Reply via email to