Re: [Zope] remote address
Further to my earlier post, what follows is extracted from the on-line documentation for the Squid caching proxy server (see http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could use instead of Apache to front your Zope server. Of note is that squid optionally adds a non-standard HTTP header to pass on the IP number it received the request from but the squid FAQ correctly warns about depending on this information as the basis for access control. What is supplied in this header is at best informational. Squid FAQ says: ---------------------------- 4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW servers, and how can I stop it? When a proxy-cache is used, a server does not see the connection coming from the originating client. Many people like to implement access controls based on the client address. To accommodate these people, Squid adds its own request header called "X-Forwarded-For" which looks like this: X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30 Entries are always IP addresses, or the word 'unknown' if the address could not be determined or if it has been disabled with the forwarded_for configuration option. We must note that access controls based on this header are extremely weak and simple to fake. Anyone may hand-enter a request with any IP address whatsoever. This is perhaps the reason why client IP addresses have been omitted from the HTTP/1.1 specification. -------------------------------------------- At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote:
My setup right now has apache in front then zope. When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache server. Is there a way to get the address of the visitor and not the apache server?
There is a patch for Apache which leads it, when acting as a Proxy, to forward the incoming request information it is seeing in an HTTP VIA header (See RFC2616) which it adds to the request. There is info about this patch at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet used it myself. Using this makes things a bit messy, which is why I'm not going with it yet, as you would have to look in REMOTE_ADDR and if that contained your Proxy Apache's IP number then test against the VIA header. The problem is that this HTTP header was not intended for forwarding information about the originating client but for adding information about intermediate proxies and gateways that have handled the incoming request. Depending on how the patch is implemented, i.e. does it add information to any pre-existing VIA header or replace it, the header could contain information about other intermediate Proxies. Probably the best you can do is determine that the request originated outside your domain rather than getting an absolute determination of the ultimate client's IP number. Bear in mind that if the incoming request came through another proxy server your Apache Proxy would see the request as coming from that other proxy's IP number and have no way of determining the ultimate origin of the request. Best of luck.
Thanks.
Fritz Mesedilla Systems Administrator
Summit Interactive, Inc. FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
Palm Pilot Software: TVSked - Download from the link below ---------------------------------------------------------------------------- http://mesedilla.tripod.com +Basta Ikaw Lord
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
My setup right now has apache in front then zope. When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache server. Is there a way to get the address of the visitor and not the apache server? There is a patch for Apache which leads it, when acting as a Proxy, to forward the incoming request information it is seeing in an HTTP VIA header (See RFC2616) which it adds to the request. There is info about this patch at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet used it myself. Using this makes things a bit messy, which is why I'm not going with it yet, as you would have to look in REMOTE_ADDR and if that contained your Proxy Apache's IP number then test against the VIA header. The problem is that this HTTP header was not intended for forwarding information about the originating client but for adding information about intermediate proxies and gateways that have handled the incoming request. Depending on how the patch is implemented, i.e. does it add information to any pre-existing VIA header or replace it, the header could contain information about other intermediate Proxies. Probably the best you can do is determine that the request originated outside your domain rather than getting an absolute determination of the ultimate client's IP number. Bear in mind that if the incoming request came through another proxy server your Apache Proxy would see the request as coming from that other proxy's IP number and have no way of determining the ultimate origin of the request. Best of luck. Thanks.
Fritz Mesedilla Systems Administrator
Summit Interactive, Inc. FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
Palm Pilot Software: TVSked - Download from the link below ---------------------------------------------------------------------------
Oh I get it! Thanks. I will take a look at squid. Fritz Mesedilla Systems Administrator Summit Interactive, Inc. FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph Palm Pilot Software: TVSked - Download from the link below ---------------------------------------------------------------------------- http://mesedilla.tripod.com +Basta Ikaw Lord -----Original Message----- From: Richard Barrett [mailto:R.Barrett@ftel.co.uk] Sent: Friday, September 14, 2001 8:40 PM To: fritz.mesedilla@summitmedia.com.ph; zope@zope.org Subject: Re: [Zope] remote address Further to my earlier post, what follows is extracted from the on-line documentation for the Squid caching proxy server (see http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could use instead of Apache to front your Zope server. Of note is that squid optionally adds a non-standard HTTP header to pass on the IP number it received the request from but the squid FAQ correctly warns about depending on this information as the basis for access control. What is supplied in this header is at best informational. Squid FAQ says: ---------------------------- 4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW servers, and how can I stop it? When a proxy-cache is used, a server does not see the connection coming from the originating client. Many people like to implement access controls based on the client address. To accommodate these people, Squid adds its own request header called "X-Forwarded-For" which looks like this: X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30 Entries are always IP addresses, or the word 'unknown' if the address could not be determined or if it has been disabled with the forwarded_for configuration option. We must note that access controls based on this header are extremely weak and simple to fake. Anyone may hand-enter a request with any IP address whatsoever. This is perhaps the reason why client IP addresses have been omitted from the HTTP/1.1 specification. -------------------------------------------- At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote: -
http://mesedilla.tripod.com +Basta Ikaw Lord
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Hi Fritz, I believe that recent versions of Apache have ProxyVia which does essentially the same thing. -steve On Saturday, September 15, 2001, at 02:03 AM, Fritz Mesedilla wrote:
Oh I get it! Thanks. I will take a look at squid.
Fritz Mesedilla Systems Administrator
Summit Interactive, Inc. FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
Palm Pilot Software: TVSked - Download from the link below ---------------------------------------------------------------------------- http://mesedilla.tripod.com +Basta Ikaw Lord -----Original Message----- From: Richard Barrett [mailto:R.Barrett@ftel.co.uk] Sent: Friday, September 14, 2001 8:40 PM To: fritz.mesedilla@summitmedia.com.ph; zope@zope.org Subject: Re: [Zope] remote address
My setup right now has apache in front then zope. When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache server. Is there a way to get the address of the visitor and not the apache server? There is a patch for Apache which leads it, when acting as a Proxy, to forward the incoming request information it is seeing in an HTTP VIA header (See RFC2616) which it adds to the request. There is info about this patch at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet used it myself. Using this makes things a bit messy, which is why I'm not going with it yet, as you would have to look in REMOTE_ADDR and if that contained your Proxy Apache's IP number then test against the VIA header. The problem is that this HTTP header was not intended for forwarding information about the originating client but for adding information about intermediate proxies and gateways that have handled the incoming request. Depending on how the patch is implemented, i.e. does it add information to any pre-existing VIA header or replace it, the header could contain information about other intermediate Proxies. Probably the best you can do is determine that the request originated outside your domain rather than getting an absolute determination of the ultimate client's IP number. Bear in mind that if the incoming request came through another proxy server your Apache Proxy would see the request as coming from that other proxy's IP number and have no way of determining the ultimate origin of the request. Best of luck. Thanks.
Fritz Mesedilla Systems Administrator
Summit Interactive, Inc. FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
Palm Pilot Software: TVSked - Download from the link below ---------------------------------------------------------------------------
Further to my earlier post, what follows is extracted from the on-line documentation for the Squid caching proxy server (see http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could use instead of Apache to front your Zope server. Of note is that squid optionally adds a non-standard HTTP header to pass on the IP number it received the request from but the squid FAQ correctly warns about depending on this information as the basis for access control. What is supplied in this header is at best informational. Squid FAQ says: ---------------------------- 4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW servers, and how can I stop it? When a proxy-cache is used, a server does not see the connection coming from the originating client. Many people like to implement access controls based on the client address. To accommodate these people, Squid adds its own request header called "X-Forwarded-For" which looks like this: X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30 Entries are always IP addresses, or the word 'unknown' if the address could not be determined or if it has been disabled with the forwarded_for configuration option. We must note that access controls based on this header are extremely weak and simple to fake. Anyone may hand-enter a request with any IP address whatsoever. This is perhaps the reason why client IP addresses have been omitted from the HTTP/1.1 specification. -------------------------------------------- At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote: -
http://mesedilla.tripod.com +Basta Ikaw Lord
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (3)
-
Fritz Mesedilla -
Richard Barrett -
Steve Spicklemire