> "Dave Steinberg" <d...@redterror.net> wrote in > message news:mailboxer.1303.1256230199.98.po...@apsis.ch... > Iñaki Baz Castillo wrote: > > El Jueves, 22 de Octubre de 2009, Jacques Caron escribió: > >> At 16:08 22/10/2009, Eric B. wrote: > >>> 1) There is no way to know the exact sequence of the headers. > >> As already pointed out by Dave, the HTTP RFC explicitly says that > >> header: a > >> header: b > >> > >> is exactly equivalent to: > >> header: a,b > >> > >> So the sequence is perfectly defined. > > > > The problem is that X-Forwarded-For definitios is exactly the opposite. > > I still don't see how pound is doing things wrong here. If it gets a > request like: > > X-Forwarded-For: client1, proxy1 > > and then the header sent to the backend is: > > X-Forwarded-For: client1, proxy1 > X-Forwarded-For: proxy2 > > then that is correct based on the reconstruction rules cited previously > and the definition here: > > http://en.wikipedia.org/wiki/X-Forwarded-For > > Is pound doing something other than what I've described above?
No - pound is doing that. My question is what happens if this request then goes thorugh Squid (or another LB/Proxy). Does the LB/Proxy expect a single XFF and simply append it to the first one it finds, or does it specifically look for the last XFF and append to that one. ie: will the result of a proxy3 be: XFF: client1, proxy1 XFF: proxy2 (pound), proxy3 or XFF: client1, proxy1, proxy3 XFF: proxy2 If the former, then no problem. If the later, then there is a bigger issue to be dealt with.... For me, I have noticed this as I am using Tomcat behind pound to serve my Java app, and in order to avoid any IP problems, am using a Tomcat Valve to reconstruct the original protocol/source ports for the request so that my app doesn't actually need to change. In the Valve, I noticed that they are not accounting for multiple XFF headers; not a big deal - I can fix that. However, it then begged the bigger question of whether or not downstream proxies will work properly with Pound's extra header, when Pound seems to be the only Proxy out there that adds it in... Thanks, Eric -- To unsubscribe send an email with subject unsubscribe to po...@apsis.ch. Please contact ro...@apsis.ch for questions.
