On Thursday 17 July 2003 04:23, you wrote:
> On 2003.07.16, Gustaf Neumann <[EMAIL PROTECTED]> wrote:
> > a final issue coming to my mind is [ns_conn peeraddr].
>
> My vote is that [ns_conn peeraddr] always return the address of the
> remote end of the actual socket connection. If I suspect that peeraddr
> may be a reverse proxy, I want the choice of looking at [ns_conn
> headers] for an x-forwarded-for header.
well, the situation you are describing is rather rare,
were you "suspect" the request coming from a reverse proxy.
the situation is the other way round: you configure
your arrangemnet of webservers in a way that EVERY
requests comes via the reverse proxy. The reasons
for this can be quite different: hiding internal structures,
load balancing, caching, security, etc.
To give you our background: We are running quite a busy
site with up to 1.2 mio hits per day on a single openacs server,
where almost every request comes from an authenticated
user. It is not unlikely that the usage of our server
will double within the next year. We are moving towards
the reverse proxy to improve security (password sniffing)
and to balance our load.
it is fine for me to keep [ns_conn peeraddr] as it is, but
it leads to a scenario, where we (at our site) have to
introduce a [ns_conn clientaddr] (or [ad_conn clientaddr])
or to ignore the fact, that ns_conn peeraddr does not
return a useful value in cases were we dont care.
the semantics of [*_conn clientaddr] are as follows:
- when the aolserver is configured to run
behind a proxy, and
- x-forwarded-for is given
- then *_conn clientaddr returns the
provided ip address form x-forwarded-for,
- otherwise it returns the same value as [ns_conn peeraddr].
A short grep through our code found 77 occurances
of [ns|ad_conn peeraddr], most of these are from
openacs. So far, I found no case, where the ip-address
of a reverse proxy seems to be the intended result if
*_conn peeraddr....
Certainly it is no big deal to change these places and define our
own extended version of e.g. ad_conn and replace the
77 occurances of peeraddr with clientaddr, but it seems
not unlikely to me that other users of reverse proxies
with have the same problem. i wonder that this
discussion was not coming up earlier...
> You always want more choice and flexibility, not less ...
i always wanted to make my life less complicated, not more.
-gustaf
--
Univ.Prof. Dr.Gustaf Neumann
Abteilung f�r Wirtschaftsinformatik
WU-Wien, Augasse 2-6, 1090 Wien
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
