Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of
2.6...
Jim Washington
jwashin@vt.edu
Thu, 11 Apr 2002 09:01:33 -0400
Toby Dickenson wrote:
>On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <jwashin@vt.edu>
>wrote:
>
>>2. If we want to get fancy about allowing authentication using that ip
>>address like naked ZServers can do,
>>
>
>>to
>>
>>if request.has_key('HTTP_X_FORWARDED_FOR'):
>> addr=request['HTTP_X_FORWARDED_FOR']
>> elif request.has_key('REMOTE_ADDR'):
>> addr=request['REMOTE_ADDR']
>>
>
>There are lots of things that use REMOTE_ADDR, and I guess they should
>*all* use the proxy supplied address rather than the address of the
>proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
>HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
>X_FORWARDED_BY)
>
>Have you considered this approach?
>
Not yet, but I like the idea... As with Oliver's reply, this I think
would need some research. I will be refining what I mean by "support"
in the subject line shortly.
>
>
>On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <myzope@gmx.net>
>wrote:
>
>>Correct me if I'm wrong, but this IMO makes spoofing against a naked
>>ZServer a childs play.
>>
>
>Thats correct for a naked ZServer, or if behind a proxy which does not
>sanitize the X-FORWARDED-FOR header. However it is safe if the request
>comes from the right kind of proxy.
>
>I think we need a new command line option to specify a list of IP
>addresses which are trusted to run 'the right kind of proxy'. Zope
>should only trust the X-FORWARDED-FOR header if the remote address is
>one of its trusted proxies.
>
>Pseudocode for handling this would be:
>
>if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
> request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR']
> request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']
>
Excellent! Except for command-line bloat. With Matt Behrens's config
proposal
(http://dev.zope.org/Wikis/DevSite/Proposals/InstallationAndConfiguration),
this nevertheless could be workable. Things are looking up. Maybe.
Ummmm..., more research...
-- Jim Washington