#3872: Bug in SetRemoteAddrFromForwardedFor middleware
----------------------------------------+-----------------------------------
Reporter: Simon Willison | Owner: gregorth
Status: reopened | Milestone:
Component: Core framework | Version: SVN
Resolution: | Keywords: middleware
Stage: Ready for checkin | Has_patch: 1
Needs_docs: 0 | Needs_tests: 0
Needs_better_patch: 0 |
----------------------------------------+-----------------------------------
Changes (by JohnMoylan):
* status: closed => reopened
* resolution: fixed =>
Comment:
Hi, I'm using Apache and Django with Squid as a reverse proxy. Squid
appends it's IP to the "END" of the X_FORWARDED_FOR header. The real ip
shoudl be the second last in the list.
EG
'HTTP_X_FORWARDED_FOR': '10.162.50.55, 213.233.159.69, 89.207.56.145',
89.207.56.145 is Squid
In this sort of setup the SetRemoteAddrFromForwardedFor should use that
second last IP as the real IP
real_ip = real_ip.split(",")[-2].strip()
and not the current
real_ip = real_ip.split(",")[0].strip()
Having real_ip as the first IP in the list assumes that the client has not
gone through multiple proxies.
--
Ticket URL: <http://code.djangoproject.com/ticket/3872#comment:9>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com
To unsubscribe from this group, send email to
django-updates+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en
-~----------~----~----~----~------~----~------~--~---
