On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <[EMAIL PROTECTED]>
wrote:
>2. If we want to get fancy about allowing authentication using that ip
>address like naked ZServers can do,
>to
>
>if request.has_key('HTTP_X_FORWARDED_FOR'):
> addr=request['HTTP_X_FORWARDED_FOR']
> elif request.has_key('REMOTE_ADDR'):
> addr=request['REMOTE_ADDR']
There are lots of things that use REMOTE_ADDR, and I guess they should
*all* use the proxy supplied address rather than the address of the
proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
X_FORWARDED_BY)
Have you considered this approach?
On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <[EMAIL PROTECTED]>
wrote:
>Correct me if I'm wrong, but this IMO makes spoofing against a naked
>ZServer a childs play.
Thats correct for a naked ZServer, or if behind a proxy which does not
sanitize the X-FORWARDED-FOR header. However it is safe if the request
comes from the right kind of proxy.
I think we need a new command line option to specify a list of IP
addresses which are trusted to run 'the right kind of proxy'. Zope
should only trust the X-FORWARDED-FOR header if the remote address is
one of its trusted proxies.
Pseudocode for handling this would be:
if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR']
request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']
Toby Dickenson
[EMAIL PROTECTED]
_______________________________________________
Zope-Dev maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope )
