On Apr 1, 2008, at 11:17 PM, Bill Moseley wrote:
C::Engine::Apache does this:
# If we are running as a backend server, the user will always
appear
# as 127.0.0.1. Select the most recent upstream IP (last in the
list)
my ($ip) = $headers->{'X-Forwarded-For'} =~ /([^,\s]+)$/;
$c->request->address( $ip );
Why the "most recent"? If there's two proxies then that address is
our top proxy.
Don't we want $c->req->address to be the client's IP?
For example, I'm seeing this header:
X-Forwarded-For: 192.168.51.158, 10.1.6.1
So C::Engine::Apache is setting $c->req->address to 10.1.6.1.
The first IP in X-Forwarded-For is the client IP.
Shouldn't C::Apache::Engine use the first address?
When using X-Forwarded-For you cannot trust any value that is not
added by your own upstream proxy, so we only want to use the last
value in the list.
-Andy
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
