[Zope] accessing REMOTE_ADDR
Richard Barrett
R.Barrett@ftel.co.uk
Tue, 02 Oct 2001 19:54:56 +0100
At 12:42 02/10/2001 -0400, you wrote:
>On Tue, Oct 02, 2001 at 05:29:00PM +0100, Richard Barrett wrote:
> > At 21:47 01/10/2001 -0500, Timothy Wilson wrote:
> > >Hi everyone,
> > >
> > 2. Increasingly, and probably mainly, the machine on which your client's
> > browser is running will itself be hiding behind some sort of firewall with
> > some sort of HTTP proxy on that firewall through which all outgoing
> browser
> > requests pass. It may be soemthing as simple as a DSL Router which uses
> NAT
> > to allow multiple machines to share the single DSL internet connection.
> The
> > whole purpose of such proxies and routers is to hide user machines from
> the
> > hackers out there in webland; to not reveal the IP numbers on the lan
> > inside the firewall which, increasingly, are likely to be private IP
> > numbers and thus meaningless outside the user's local network. Thus all
> you
> > can determine is the IP number of the machine which originated the
> incoming
> > connection to your server. You cannot detemine whether or not this is a
> > real user's machine, an HTTP proxy on a firewall, the IP number of the
> > user's personal firewall machine which just did NAT on the request ...
>
>And here you have just bumped up against reason that 'who cares' is not
>correct. Suppose you have a system that is behind a firewall and serves
>content of use to both people inside the firewall and outside it.
>Suppose further that you are reasonable and that your internal network
>has only martian addresses. Then you will want to write URLs so that
>your internal users address the machine directly, without passing
>through the firewall or an additional proxy server. You have to
>write external URLs to your firewall.
I'm afraid I'm not sure I fully grasp the point you are making in the last
two sentences above. When you say "you will want to write URLs" do you mean
"when dynamically rendering a page you will want to generate URLs"?
If so, then envisage the situation of my systems:
1. An Apache server visible both inside and outside a firewall. This Apache
server proxies the Zope server inside the firewall as well as serving
public content.
2. A Zope server visible only inside a firewall. This machine is directly
visible to other machines inside the firewall but invisible to any machine
outside the firewall. I want to make some of the Zope servers content
available through the Apache server. Why, because I trust Apache more than
Zope when I comes to dealing with random hacker attacks on servers.
Machines inside the firewall have the option of going direct to the Zope
server using URL pattern 1 or via Apache with URL having a pattern 2 which
is rewritten to pattern 3.
Machine outside the firewall can only reach the Zope server via Apache with
the incoming URL having a pattern 2 which is rewritten to pattern 3.
This rewriting can be done using either mod_rewrite using a Rewrite rule
with the P flag which hands off the rewritten URL to mod_proxy or by using
a ProxyPass which goes direct to mod_proxy.
Example of these URL patterns look like;
Pattern 1: http://zopeserver.mydomain.com:8080/public/index.html
Pattern 2: http://www-my-apache-server.mydomain.com/onzope/public/index.html
Pattern 3:
http://zopeserver.mydomain.com:8080/VirtualHostBase/http/www-my-apache-server.mydomain.com:80/VirtualHostRoot/_vh_onzope/public/index.html
Zope's Virtual Host Monster handles the problem of dynamically generating
absolute URLs appropriate to the incoming request. Suppose that in what
index_html generates I refer to the absolute URL of a document called
fred_html in a sub-directory called jim below public then Zope's output
will appropriate.
If I addressed index_html as
http://zopeserver.mydomain.com:8080/public/index.html no rewriting takes
place because Apache doesn't see the request. Zope sees this as the
incoming request URL. The VHM does not interfere with the generation of
http://zopeserver.mydomain.com:8080/public/jim/fred.html which is what we
want in the output.
On the other hand, if I addressed index_html as
http://www-my-apache-server.mydomain.com/onzope/public/index.html then
Apache translates this to
http://zopeserver.mydomain.com:8080/VirtualHostBase/http/www-my-apache-server.mydomain.com:80/VirtualHostRoot/_vh_onzope/public/index.html
which is what it puts in the request to Zope. The Zope server sees the
translation as the incoming URL. This gives the VHM the information it
needs to both traverse to the right page (i.e. to /public/index.html) and
to generate
http://www-my-apache-server.mydomain.com/onzope/public/jim/fred.html, which
is also what we want in the output.
Like I said, who cares what the IP number of our user's machine is. What we
respond to is the way the information is asked for, i.e.the URL being
requested. The advantage with VHM used this way is your code doesn't have
to care about proxying and IP numbers and stuff. Just install a VHM at the
root of your Zope. As long as you consistently only use either properly
relative URLs ('../../this/that_html')or URLs returned by Zope's
absolute_URL function (with the call parameter left at its default
'relative=0') it all works automagically.
The guy who wrote the VHM did a really neat job.
As a final point, suppose you still really want to generate different
output for folks inside and outside the firewall. If outsiders only can get
in via proxy server(s) on your firewall we have the lever we need. If the
IP number of the connection through which Zope got the request shows the
connection to Zope came from the IP number(s) of the proxy servers(s) then
act as if the requestor is an outsider. If internal users behave like
outsiders by coming through the proxy, then just treat them like outsiders.
The test is fast and simple. Alternatively use more complex Rewrite rules
to control which content or version of content on the Zope server can be
seen via the proxy. We don't care where they came from, we just care how
they got here.
>Note, you are making no security decision on the IP at all (although you
>can reasonably safely make a distinction between martian/non-martian).
>You are making an efficiency and possibly a latency decision.
>
>Jim Penny
>
> >
> > My advice: give it up; like who cares what the IP number of the user's
> > machine is. If you are after security you've got to rely on the low grade
> > capabilities of Basic Authentication and its cookie cousins, or get some
> > serious protection by wrapping Basic Auth in SSL.
> >
>
>_______________________________________________
>Zope maillist - Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>** No cross posts or HTML encoding! **
>(Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )