Toby Dickenson wrote: >On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <[EMAIL PROTECTED]> >wrote: > >>2. If we want to get fancy about allowing authentication using that ip >>address like naked ZServers can do, >> > >>to >> >>if request.has_key('HTTP_X_FORWARDED_FOR'): >> addr=request['HTTP_X_FORWARDED_FOR'] >> elif request.has_key('REMOTE_ADDR'): >> addr=request['REMOTE_ADDR'] >> > >There are lots of things that use REMOTE_ADDR, and I guess they should >*all* use the proxy supplied address rather than the address of the >proxy. It makes sense to me that we should *replace* REMOTE_ADDR with >HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a >X_FORWARDED_BY) > >Have you considered this approach? > Not yet, but I like the idea... As with Oliver's reply, this I think would need some research. I will be refining what I mean by "support" in the subject line shortly.
> > >On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <[EMAIL PROTECTED]> >wrote: > >>Correct me if I'm wrong, but this IMO makes spoofing against a naked >>ZServer a childs play. >> > >Thats correct for a naked ZServer, or if behind a proxy which does not >sanitize the X-FORWARDED-FOR header. However it is safe if the request >comes from the right kind of proxy. > >I think we need a new command line option to specify a list of IP >addresses which are trusted to run 'the right kind of proxy'. Zope >should only trust the X-FORWARDED-FOR header if the remote address is >one of its trusted proxies. > >Pseudocode for handling this would be: > >if request['REMOTE_ADDR'] in our_trusted_front_end_proxies: > request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR'] > request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR'] > Excellent! Except for command-line bloat. With Matt Behrens's config proposal (http://dev.zope.org/Wikis/DevSite/Proposals/InstallationAndConfiguration), this nevertheless could be workable. Things are looking up. Maybe. Ummmm..., more research... -- Jim Washington _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )