Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...
Toby Dickenson
tdickenson@geminidataloggers.com
Thu, 11 Apr 2002 10:09:40 +0100
On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <jwashin@vt.edu>
wrote:
>2. If we want to get fancy about allowing authentication using that ip=20
>address like naked ZServers can do,
>to
>
>if request.has_key('HTTP_X_FORWARDED_FOR'):
> addr=3Drequest['HTTP_X_FORWARDED_FOR']
> elif request.has_key('REMOTE_ADDR'):
> addr=3Drequest['REMOTE_ADDR']
There are lots of things that use REMOTE_ADDR, and I guess they should
*all* use the proxy supplied address rather than the address of the
proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
X_FORWARDED_BY)
Have you considered this approach?
On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <myzope@gmx.net>
wrote:
>Correct me if I'm wrong, but this IMO makes spoofing against a naked=20
>ZServer a childs play.
Thats correct for a naked ZServer, or if behind a proxy which does not
sanitize the X-FORWARDED-FOR header. However it is safe if the request
comes from the right kind of proxy.
I think we need a new command line option to specify a list of IP
addresses which are trusted to run 'the right kind of proxy'. Zope
should only trust the X-FORWARDED-FOR header if the remote address is
one of its trusted proxies.
Pseudocode for handling this would be:
if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
request['HTTP_X_FORWARDED_BY'] =3D request['REMOTE_ADDR']
request['REMOTE_ADDR'] =3D request['HTTP_X_FORWARDED_FOR']
Toby Dickenson
tdickenson@geminidataloggers.com