Toby Dickenson wrote:
On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <jwashin@vt.edu> wrote:
2. If we want to get fancy about allowing authentication using that ip address like naked ZServers can do,
to
if request.has_key('HTTP_X_FORWARDED_FOR'): addr=request['HTTP_X_FORWARDED_FOR'] elif request.has_key('REMOTE_ADDR'): addr=request['REMOTE_ADDR']
There are lots of things that use REMOTE_ADDR, and I guess they should *all* use the proxy supplied address rather than the address of the proxy. It makes sense to me that we should *replace* REMOTE_ADDR with HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a X_FORWARDED_BY)
Have you considered this approach?
Not yet, but I like the idea... As with Oliver's reply, this I think would need some research. I will be refining what I mean by "support" in the subject line shortly.
On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <myzope@gmx.net> wrote:
Correct me if I'm wrong, but this IMO makes spoofing against a naked ZServer a childs play.
Thats correct for a naked ZServer, or if behind a proxy which does not sanitize the X-FORWARDED-FOR header. However it is safe if the request comes from the right kind of proxy.
I think we need a new command line option to specify a list of IP addresses which are trusted to run 'the right kind of proxy'. Zope should only trust the X-FORWARDED-FOR header if the remote address is one of its trusted proxies.
Pseudocode for handling this would be:
if request['REMOTE_ADDR'] in our_trusted_front_end_proxies: request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR'] request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']
Excellent! Except for command-line bloat. With Matt Behrens's config proposal (http://dev.zope.org/Wikis/DevSite/Proposals/InstallationAndConfiguration), this nevertheless could be workable. Things are looking up. Maybe. Ummmm..., more research... -- Jim Washington