On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote: > > On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote: > > I completely agree you shouldn't use this middleware unless you know > > and trust the proxy setup, but I can easily imagine (large corporate > > networks) a situation where there could be multiple proxies. Seems to > > me its better to be clear of the dangers in the docs rather than > > trying to prevent someone using this with multiple proxies. > > No. With the patch applied, the Middleware is *secure* for people who > trust in _one_ reverse proxy. Without it, the Middleware is *insecure* > for anybody who uses it. The use case for reverse proxy users who want > to have a *reliable* remote address is not even hard: is impossible. > No documentation can fix it. >
But what about the case of multiple trusted proxies (not the case of the client acting as a proxy)? Or what about if the proxy sends the XFF header as [CLIENTIP, PROXYIP] which is what I believe the major ones do and what cause the patch to break existing setups? Cheers, deryck --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
