[Zope] remote address

Richard Barrett R.Barrett@ftel.co.uk
Fri, 14 Sep 2001 13:40:09 +0100


Further to my earlier post, what follows is extracted from the on-line 
documentation for the Squid caching proxy server (see 
http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could use 
instead of Apache to front your Zope server.

Of note is that squid optionally adds a non-standard HTTP header to pass on 
the IP number it received the request from but the squid FAQ correctly 
warns about depending on this information as the basis for access control. 
What is supplied in this header is at best informational.

Squid FAQ says: ----------------------------
4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW 
servers, and how can I stop it?
When a proxy-cache is used, a server does not see the connection coming 
from the originating client. Many people like to implement access controls 
based on the client address. To accommodate these people, Squid adds its 
own request header called "X-Forwarded-For" which looks like this:

         X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30

Entries are always IP addresses, or the word 'unknown' if the address could 
not be determined or if it has been disabled with the forwarded_for 
configuration option.

We must note that access controls based on this header are extremely weak 
and simple to fake. Anyone may hand-enter a request with any IP address 
whatsoever. This is perhaps the reason why client IP addresses have been 
omitted from the HTTP/1.1 specification.
--------------------------------------------

At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote:
>My setup right now has apache in front then zope.
>When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache
>server.
>Is there a way to get the address of the visitor and not the apache server?

There is a patch for Apache which leads it, when acting as a Proxy, to 
forward the incoming request information it is seeing in an HTTP VIA header 
(See RFC2616) which it adds to the request. There is info about this patch 
at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet 
used it myself.

Using this makes things a bit messy, which is why I'm not going with it 
yet, as you would have to look in REMOTE_ADDR and if that contained your 
Proxy Apache's IP number then test against the VIA header. The problem is 
that this HTTP header was not intended for forwarding information about the 
originating client but for adding information about intermediate proxies 
and gateways that have handled the incoming request. Depending on how the 
patch is implemented, i.e. does it add information to any pre-existing VIA 
header or replace it, the header could contain information about other 
intermediate Proxies.

Probably the best you can do is determine that the request originated 
outside your domain rather than getting an absolute determination of the 
ultimate client's IP number. Bear in mind that if the incoming request came 
through another proxy server your Apache Proxy would see the request as 
coming from that other proxy's IP number and have no way of determining the 
ultimate origin of the request.

Best of luck.

>Thanks.
>
>Fritz Mesedilla
>Systems Administrator
>
>Summit Interactive, Inc.
>FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
>femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
>
>Palm Pilot Software: TVSked - Download from the link below
>----------------------------------------------------------------------------
>http://mesedilla.tripod.com           +Basta Ikaw Lord
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )