Toby Dickenson wrote:

>On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <[EMAIL PROTECTED]>
>wrote:
>
>>2.  If we want to get fancy about allowing authentication using that ip 
>>address like naked ZServers can do,
>>
>
>>to
>>
>>if request.has_key('HTTP_X_FORWARDED_FOR'):
>>      addr=request['HTTP_X_FORWARDED_FOR']
>>   elif request.has_key('REMOTE_ADDR'):
>>      addr=request['REMOTE_ADDR']
>>
>
>There are lots of things that use REMOTE_ADDR, and I guess they should
>*all* use the proxy supplied address rather than the address of the
>proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
>HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
>X_FORWARDED_BY)
>
>Have you considered this approach?
>
Not yet, but I like the idea...  As with Oliver's reply, this I think 
would need some research.  I will be refining what I mean by "support" 
in the subject line shortly.

>
>
>On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <[EMAIL PROTECTED]>
>wrote:
>
>>Correct me if I'm wrong, but this IMO makes spoofing against a naked 
>>ZServer a childs play.
>>
>
>Thats correct for a naked ZServer, or if behind a proxy which does not
>sanitize the X-FORWARDED-FOR header. However it is safe if the request
>comes from the right kind of proxy.
>
>I think we need a new command line option to specify a list of IP
>addresses which are trusted to run 'the right kind of proxy'. Zope
>should only trust the X-FORWARDED-FOR header if the remote address is
>one of its trusted proxies.
>
>Pseudocode for handling this would be:
>
>if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
>    request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR']
>    request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']
>
Excellent!  Except for command-line bloat.  With Matt Behrens's config 
proposal 
(http://dev.zope.org/Wikis/DevSite/Proposals/InstallationAndConfiguration), 
this nevertheless could be workable.  Things are looking up.  Maybe. 
 Ummmm..., more research...

-- Jim Washington



_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to