On 9/20/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote: > > Howdy folks -- > > So I need a bit of help figuring out how to handle X-Forwarded-For, > and specifically what to do in the presance of multiple IPs. > > Django's SetRemoteAddrFromForwardedFor middleware used to take the > *first* item in the X-F-F header, but after > http://code.djangoproject.com/ticket/3872 was filed we changed it to > take the *last* IP. > > Now we're getting reports that the IP we want is, in fact, the first > IP after all (a fact confirmed by > http://en.wikipedia.org/wiki/X-Forwarded-For -- if Wikipedia is > capable of actually confirming anything :)
Wikipedia isn't confirming that the first IP should be taken. It says that the first entry is the "farthest downstream client". But if you are going to believe it, you are blindly trusting on every downstream client who is providing some part of such list. What stops the client who wants to set X-Forwarded-For to a false address? When it passes through the reverse proxy, X-Forwarded-For will be "false-address, the-real-address". So, the only case when you really want to use the X-Forwarded-For middleware is when you have exactly _one_ trusted reverse proxy in front of your server. In such case, the proxy will append the address of its client at the _end_ of X-Forwarded-For (because if the header already exists, the proxy's client is not supposed to be the "farthest downstream client"). I can't explain why, according to the ticket, Chris Bennett gets "HTTP_X_FORWARDED_FOR: 66.162.32.x, 127.0.0.1". But, using Wikipedia again as reference, it would indicate that _two_ proxies are involved. Anyway, please *do not* revert it. Such change would make easy to fake the remote address when using that middleware. If people are _really_ using more than one trusted proxy (a transparent Squid getting in the way maybe?), the middleware could have a settings to let the user indicate how many values of X-Forwarded-For are know to be good. -- Leo Soto M. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---