Andrea Arcangeli wrote:
This fixes one logging bug:
Thanks
1) the web2.vhost seems buggy not fixing up the req.uri, I had to fixup
req.uri to get logging right in my vhost hack that understand the
twisted.web reverse proxy with clientPass=True (my old twisted.web patch)
Judging from the way Request actually deals with .uri it should be _uri,
I'll discuss this with foom and fix it later.
2) assuming that I had web2 on the reverse proxy, would it already pass
down the remote_ip information, or only apache2 does that? (the only one
capable of receiving the remote_ip is AutoVHostURIRewrite, but the
deployment only talks about apache2, Also note for me it's fundamentally
important for security reasons to have the port too, one needs the port
to safely indentify a box behind a nat (assuming the nat admin is
capable of logging all connection tracking but if he doesn't he will
take the blame). Is the apache2/twisted.web2 reverseproxy protocol
passing down the peer port too in the x-forwarded-host?
As far as I know twisted.web.proxy.ReverseProxyResource doesn't send
X-Forwarded-For. I don't think Apache2 sends the port. I'm not sure
what to do about this other than subclass and fix, it seems like a
pretty special case to me, perhaps security would be better provided
through another means, because as you said, it only works if the
connection tracking is logged. Which most SOHO devices don't do.
3) if answer to 2 is no, can I forward port to web2 my simple hack to
twisted.web that I need in order to plug klive on top twisted.web2?
Twisted.web2 is backwards compatible, in that it knows what a
twisted.web resource expects, and is capable of translating them from
what Twisted.web2 uses (see twisted.web2.compat) You should be able to
just drop that exact ReverseProxyResource into a twisted.web2 tree and
have it work. (While you're at it you might as well patch it to send
the client via X-Forwarded-For (and send the other headers
AutoURIRewrite expects while you're at it))
Here for reference my old patch that is running on cpushare.com today
and that my web2 vhost hack is understanding and that passes down to
klive both ip and port (setClient was actually used by the nevow.vhost,
now obsoleted by web2 req.remoteAddr)
I'm not sure if tacking a :port onto the X-Forwarded-For header will
break other http servers.
One more question, you said the channel is private, why don't we add __
in front of it. Python is capable of autodocumenting without possibility
for mistakes all private parts of a class.
Send me a patch (on or offlist) that changes chanRequest to _chanRequest[1]
--David
[1] See twisted coding standards:
http://twistedmatrix.com/projects/core/documentation/howto/policy/coding-standard.html
_______________________________________________
Twisted-web mailing list
[email protected]
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-web
