Author: adrian
Date: 2006-08-17 22:12:36 -0500 (Thu, 17 Aug 2006)
New Revision: 3602
Modified:
django/trunk/django/middleware/http.py
django/trunk/docs/middleware.txt
Log:
Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and
documentation. Thanks, Ian Holsman
Modified: django/trunk/django/middleware/http.py
===================================================================
--- django/trunk/django/middleware/http.py 2006-08-18 02:48:34 UTC (rev
3601)
+++ django/trunk/django/middleware/http.py 2006-08-18 03:12:36 UTC (rev
3602)
@@ -35,3 +35,27 @@
response.content = ''
return response
+
+class SetRemoteAddrFromForwardedFor(object):
+ """
+ Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
+ latter is set. This is useful if you're sitting behind a reverse proxy that
+ causes each request's REMOTE_ADDR to be set to 127.0.0.1.
+
+ Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
+ a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
+ this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
+ because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
+ anybody can "fake" their IP address. Only use this when you can absolutely
+ trust the value of HTTP_X_FORWARDED_FOR.
+ """
+ def process_request(self, request):
+ try:
+ real_ip = request.META['HTTP_X_FORWARDED_FOR']
+ except KeyError:
+ return None
+ else:
+ # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
+ # Take just the first one.
+ real_ip = real_ip.split(",")[0]
+ request.META['REMOTE_ADDR'] = real_ip
Modified: django/trunk/docs/middleware.txt
===================================================================
--- django/trunk/docs/middleware.txt 2006-08-18 02:48:34 UTC (rev 3601)
+++ django/trunk/docs/middleware.txt 2006-08-18 03:12:36 UTC (rev 3602)
@@ -63,7 +63,7 @@
last component in the path contains a period. So ``foo.com/bar`` is
redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
through unchanged.
-
+
If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
redirected to the same URL with a leading "www."
@@ -101,6 +101,22 @@
Also removes the content from any response to a HEAD request and sets the
``Date`` and ``Content-Length`` response-headers.
+django.middleware.http.SetRemoteAddrFromForwardedFor
+----------------------------------------------------
+
+**New in Django development version**
+
+Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``,
+if the latter is set. This is useful if you're sitting behind a reverse proxy
+that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``.
+
+**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
+not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
+not use this middleware. Anybody can spoof the value of
+``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
+``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
+use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
+
django.contrib.sessions.middleware.SessionMiddleware
----------------------------------------------------
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/django-updates
-~----------~----~----~----~------~----~------~--~---
