Re: Production Django use and "real ip"

2023-04-20 Thread 'Adam Johnson' via Django developers (Contributions to Django itself)
> Are there any deployment scenarios where META.REMOTE_ADDR is ever even correct? Yes, when running a WSGI server that faces the internet, with no intermediate proxies. On Wed, Apr 19, 2023 at 3:51 PM Arthur Pemberton wrote: > At this point, I'm not even suggesting that Django handle this

Re: Production Django use and "real ip"

2023-04-19 Thread Arthur Pemberton
At this point, I'm not even suggesting that Django handle this internally. I'm suggesting that the behaviour/expectation be documented, at least in the deployment guide. Are there any deployment scenarios where META.REMOTE_ADDR is ever even correct? Arthur Pemberton On Wed, Apr 19, 2023 at 3:37 

Re: Production Django use and "real ip"

2023-04-19 Thread 'st...@jigsawtech.co.uk' via Django developers (Contributions to Django itself)
As someone whose worked on various projects in different languages over the last 15 years that heavily involved deciphering IP sent in headers to try to determine the "real" IP address of a connection, I would urge caution with anything around determining a "real IP". There is no standard in

Re: Production Django use and "real ip"

2023-04-14 Thread 'Adam Johnson' via Django developers (Contributions to Django itself)
It's surprisingly complex to interpret x-forwarded-for: https://www.brainonfire.net/blog/2022/03/04/understanding-using-xff/ . We will never be able to safely add automated handling. I *guess* we could add a note to the deployment guide like "check your HTTP_X_FORWARDED_FOR setting". I'm

Production Django use and "real ip"

2023-03-31 Thread Arthur Pemberton
I have read previous discussions (most recent I could find was Dec 2013 [1] ) on the inclusion of `HTTP_X_FORWARDED_FOR` based logic to get the "real" IP address of an HttpRequest. From what I can see, currently there is currently no automatic handling of `HTTP_X_FORWARDED_FOR` in Django.