Leo Soto M. wrote:
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
>
>> I completely agree you shouldn't use this middleware unless you know
>> and trust the proxy setup, but I can easily imagine (large corporate
>> networks) a situation where there could be multiple proxies. Seems to
On 9/21/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
[...]
> Of course, this is straying a bit from the original topic. I still
> think the middleware as reverted by Jacob is correct. Whether or not
> you trust REMOTE_ADDR to be the actual client IP after using the
> middleware is a matter of
On 9/20/07, Chris Bennett <[EMAIL PROTECTED]> wrote:
>
> As an aside, is anyone talking about seriously using this for access
> control? We've established that using X-F-F is a bad idea for that, in
> fact, I'd say that even known REMOTE_ADDR based auth is a bad idea, so
> why does it matter
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> >
> > A quick Google search turns up that this is indeed easily configurable
> > for both Squid and mod_proxy and the defaults look sane.
>
> What are those defaults?.
>
> My google-foo is
As an aside, is anyone talking about seriously using this for access
control? We've established that using X-F-F is a bad idea for that, in
fact, I'd say that even known REMOTE_ADDR based auth is a bad idea, so
why does it matter whether it is "trustworthy"?
Anyway - I use X-F-F for IP
On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
>
> A quick Google search turns up that this is indeed easily configurable
> for both Squid and mod_proxy and the defaults look sane.
What are those defaults?.
My google-foo is very low today, and I only arrived at the squid
FAQ[1], which says
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> > I guess I would challenge the notion, too, that you can't trust the
> > client IP when you trust the proxy or proxies, at least in the sense
> > of knowing trusted proxies versus
On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> I guess I would challenge the notion, too, that you can't trust the
> client IP when you trust the proxy or proxies, at least in the sense
> of knowing trusted proxies versus untrusted. For example, if my setup
> has proxies p1 and p2:
>
>
Since there seems to be two use cases, might I suggest forking the
secondary use case into a separate middleware class?
Whether or not the trusted reverse proxy scenario is more common
(though I believe it is), it's best to avoid breaking existing
functionality, especially when the
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> [...]
> > But what about the case of multiple trusted proxies (not the case of
> > the client acting as a proxy)? Or what about if the proxy sends the
> > XFF header as [CLIENTIP,
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
> Now, if having a reliable remote IP address is important, then a
> setting (NUMBER_OF_TRUSTED_PROXY_SERVERS?) specifying how many values
> you can trust is the only thing that occurs to me. (I'm not that
> creative).
Doh. That was a
On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
[...]
> But what about the case of multiple trusted proxies (not the case of
> the client acting as a proxy)? Or what about if the proxy sends the
> XFF header as [CLIENTIP, PROXYIP] which is what I believe the major
> ones do and what cause
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> > I completely agree you shouldn't use this middleware unless you know
> > and trust the proxy setup, but I can easily imagine (large corporate
> > networks) a situation where there could
On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> I completely agree you shouldn't use this middleware unless you know
> and trust the proxy setup, but I can easily imagine (large corporate
> networks) a situation where there could be multiple proxies. Seems to
> me its better to be clear of
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
> Anyway, please *do not* revert it. Such change would make easy to fake
> the remote address when using that middleware. If people are _really_
> using more than one trusted proxy (a transparent Squid getting in the
> way maybe?), the middleware
Hi, Leo.
On 9/20/07, Leo Soto M. <[EMAIL PROTECTED]> wrote:
> Wikipedia isn't confirming that the first IP should be taken. It says
> that the first entry is the "farthest downstream client". But if you
> are going to believe it, you are blindly trusting on every downstream
> client who is
On 9/20/07, Craig Ogg <[EMAIL PROTECTED]> wrote:
>
> On 9/20/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
> > Django's SetRemoteAddrFromForwardedFor middleware used to take the
> > *first* item in the X-F-F header, but after
> > http://code.djangoproject.com/ticket/3872 was filed we changed
On 9/20/07, Deryck Hodge <[EMAIL PROTECTED]> wrote:
> In the comments for the article Simon cited on the ticket, Bob
> confirms left most is client, right most is last proxy but he was
> trying for the most trust worthy IP in the chain, not the client's IP.
> I'm pretty sure this is the norm.
On 9/20/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
>
> Howdy folks --
>
> So I need a bit of help figuring out how to handle X-Forwarded-For,
> and specifically what to do in the presance of multiple IPs.
>
> Django's SetRemoteAddrFromForwardedFor middleware used to take the
> *first* item
On 9/20/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
>
> Howdy folks --
>
> So I need a bit of help figuring out how to handle X-Forwarded-For,
> and specifically what to do in the presance of multiple IPs.
>
> Django's SetRemoteAddrFromForwardedFor middleware used to take the
> *first* item
On 9/20/07, Jacob Kaplan-Moss <[EMAIL PROTECTED]> wrote:
> Django's SetRemoteAddrFromForwardedFor middleware used to take the
> *first* item in the X-F-F header, but after
> http://code.djangoproject.com/ticket/3872 was filed we changed it to
> take the *last* IP.
>
That ticket use this article
Howdy folks --
So I need a bit of help figuring out how to handle X-Forwarded-For,
and specifically what to do in the presance of multiple IPs.
Django's SetRemoteAddrFromForwardedFor middleware used to take the
*first* item in the X-F-F header, but after
22 matches
Mail list logo