On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote: > > On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote: > > I guess I would challenge the notion, too, that you can't trust the > > client IP when you trust the proxy or proxies, at least in the sense > > of knowing trusted proxies versus untrusted. For example, if my setup > > has proxies p1 and p2: > > > > client (untrusted) --> p1 --> p2 --> django > > > > Can't I trust p1 and p2 to setup client IP appropriately in XFF > > between the two of them? It's not like p1 or p2 are going to read the > > XXF header from the untrusted client. > > Yes, of course they *are* going to read it. Otherwise, how would they > assemble the XFF header? (Yeah, proxys could have a option to > white-list known proxys downstream, but they do?). >
A quick Google search turns up that this is indeed easily configurable for both Squid and mod_proxy and the defaults look sane. I'd guess the same for most any decent proxy, but I'm not willing to do the research on every proxy I can think of. :-) This is why I say it's an issue of trusting the proxies, not Django, to do the right thing in this case. If your proxy blindly follows X-Forwarded-For for untrusted clients, you've got it configured wrong, and there's nothing Django can do about that. Cheers, deryck --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-developers?hl=en -~----------~----~----~----~------~----~------~--~---
