On Sunday 20 July 2003 03:31, you wrote:
> On 2003.07.20, Gustaf Neumann <[EMAIL PROTECTED]> wrote:
> > my primary point is: if you are running an aolserver behind a proxy,
> > the current value of [ns_conn peeraddr] is not very useful.
>
> So:
>
> proc ns_clientaddr {} {
> set addr [lindex [ns_set iget [ns_conn headers] x-forwarded-for] end]
> if {[string length $addr] == 0} {
> return [ns_conn peeraddr]
> } else {
> return $addr
> }
> }
i would suggest to check some approriate config-flag as well to
avoid x-forwarded-for address spoofing (assuming a Boolean
flag in ns/parameters):
proc ns_clientaddr {} {
if {[ns_config -bool ns/parameters runningBehindReverseProxy 0]} {
set addr [lindex [ns_set iget [ns_conn headers] x-forwarded-for] end]
if {[string length $addr] > 0} {
return $addr
}
}
return [ns_conn peeraddr]
}
or to define a while-list (assuming a list value for
ns/parameters runningBehindReverseProxies)
proc ns_clientaddr {} {
set tcp_peer [ns_conn peeraddr]
set white_list [ns_config ns/parameters runningBehindReverseProxy [list]]
if {[lsearch $white_list $tcp_peer] > -1} {
set addr [lindex [ns_set iget [ns_conn headers] x-forwarded-for] end]
if {[string length $addr] > 0} {
return $addr
}
}
return $tcp_peer
}
both code snipplets are untested but should not be far from working.
> I'm still unsure what benefit there is in changing the current semantics
> of [ns_conn peeraddr] ...
As Matthew pointed out, you do not want to change a largish codebase,
especially if you are not maintaining the code base, and you want to
use it as black-box components. From a software engineering point of
view it is IMHO not a good idea to suggest: "when you change your
setup and move behind a reverse proxy, change all occurances of
ns_conn peer addr to ...".
If the community prefers to keep [ns_conn peeraddr] as it is, we would
would not alter these 70+ occurances, but modify our local copy
of [ad_conn ...] (the OpenACS value added version of ns_conn)
to return for peeraddr the value returned from ns_clienaddr above,
and to return for tcp_peeraddr the classical [ns_conn peeraddr].
all the best
-gustaf
--
Univ.Prof. Dr.Gustaf Neumann
Abteilung f�r Wirtschaftsinformatik
WU-Wien, Augasse 2-6, 1090 Wien
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of
your email blank.
