On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> [...]
> > But what about the case of multiple trusted proxies (not the case of
> > the client acting as a proxy)? Or what about if the proxy sends the
> > XFF header as [CLIENTIP, PROXYIP] which is what I believe the major
> > ones do and what cause the patch to break existing setups?
>
> Exactly. We have to fix this cases, without breaking security. On the
> other hand, maybe a reliable remote IP address is not that important.
> Then, the doc should be fixed, because currently it somehow implies
> that you can trust HTTP_X_FORWARDED_FOR in some cases. You can't.
>
> Now, if having a reliable remote IP address is important, then a
> setting (NUMBER_OF_TRUSTED_PROXY_SERVERS?) specifying how many values
> you can trust is the only thing that occurs to me. (I'm not that
> creative).
>
> Then, you get the right remote IP using
> x_forwarded_for.split(",")[-NUMBER_OF_TRUSTED_PROXY_SERVERS].strip().
>
> What do you think?
I'll let someone else speak to providing a configurable option for
this. It feels a bit much for me, but certainly provides more
flexibility. But it's also not hard to write a custom middleware if
your proxy setup isn't the common case.
I guess I would challenge the notion, too, that you can't trust the
client IP when you trust the proxy or proxies, at least in the sense
of knowing trusted proxies versus untrusted. For example, if my setup
has proxies p1 and p2:
client (untrusted) --> p1 --> p2 --> django
Can't I trust p1 and p2 to setup client IP appropriately in XFF
between the two of them? It's not like p1 or p2 are going to read the
XXF header from the untrusted client. If they do, the problem is in
proxy trust, and I don't think Django can be asked to account for
this.
Cheers,
deryck
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django developers" group.
To post to this group, send email to django-developers@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-developers?hl=en
-~----------~----~----~----~------~----~------~--~---
