> Are there any deployment scenarios where META.REMOTE_ADDR is ever even
correct?
Yes, when running a WSGI server that faces the internet, with no
intermediate proxies.
On Wed, Apr 19, 2023 at 3:51 PM Arthur Pemberton wrote:
> At this point, I'm not even suggesting that Django handle this
At this point, I'm not even suggesting that Django handle this internally.
I'm suggesting that the behaviour/expectation be documented, at least in
the deployment guide.
Are there any deployment scenarios where META.REMOTE_ADDR is ever even
correct?
Arthur Pemberton
On Wed, Apr 19, 2023 at 3:37
As someone whose worked on various projects in different languages over the
last 15 years that heavily involved deciphering IP sent in headers to try
to determine the "real" IP address of a connection, I would urge caution
with anything around determining a "real IP". There is no standard in
It's surprisingly complex to interpret x-forwarded-for:
https://www.brainonfire.net/blog/2022/03/04/understanding-using-xff/ . We
will never be able to safely add automated handling.
I *guess* we could add a note to the deployment guide like "check your
HTTP_X_FORWARDED_FOR setting". I'm
I have read previous discussions (most recent I could find was Dec 2013
[1] ) on the inclusion of `HTTP_X_FORWARDED_FOR` based logic to get the
"real" IP address of an HttpRequest. From what I can see, currently there
is currently no automatic handling of `HTTP_X_FORWARDED_FOR` in Django.