[Zope] remote address

Fritz Mesedilla fritz.mesedilla@summitmedia.com.ph
Sat, 15 Sep 2001 15:03:19 +0800


Oh I get it!
Thanks. I will take a look at squid.

Fritz Mesedilla
Systems Administrator

Summit Interactive, Inc.
FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph

Palm Pilot Software: TVSked - Download from the link below
----------------------------------------------------------------------------
http://mesedilla.tripod.com           +Basta Ikaw Lord
-----Original Message-----
From: Richard Barrett [mailto:R.Barrett@ftel.co.uk]
Sent: Friday, September 14, 2001 8:40 PM
To: fritz.mesedilla@summitmedia.com.ph; zope@zope.org
Subject: Re: [Zope] remote address


Further to my earlier post, what follows is extracted from the on-line
documentation for the Squid caching proxy server (see
http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could use
instead of Apache to front your Zope server.
Of note is that squid optionally adds a non-standard HTTP header to pass on
the IP number it received the request from but the squid FAQ correctly
warns about depending on this information as the basis for access control.
What is supplied in this header is at best informational.
Squid FAQ says: ----------------------------
4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW
servers, and how can I stop it?
When a proxy-cache is used, a server does not see the connection coming
from the originating client. Many people like to implement access controls
based on the client address. To accommodate these people, Squid adds its
own request header called "X-Forwarded-For" which looks like this:
         X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30
Entries are always IP addresses, or the word 'unknown' if the address could
not be determined or if it has been disabled with the forwarded_for
configuration option.
We must note that access controls based on this header are extremely weak
and simple to fake. Anyone may hand-enter a request with any IP address
whatsoever. This is perhaps the reason why client IP addresses have been
omitted from the HTTP/1.1 specification.
--------------------------------------------
At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote:
>My setup right now has apache in front then zope.
>When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache
>server.
>Is there a way to get the address of the visitor and not the apache server?
There is a patch for Apache which leads it, when acting as a Proxy, to
forward the incoming request information it is seeing in an HTTP VIA header
(See RFC2616) which it adds to the request. There is info about this patch
at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet
used it myself.
Using this makes things a bit messy, which is why I'm not going with it
yet, as you would have to look in REMOTE_ADDR and if that contained your
Proxy Apache's IP number then test against the VIA header. The problem is
that this HTTP header was not intended for forwarding information about the
originating client but for adding information about intermediate proxies
and gateways that have handled the incoming request. Depending on how the
patch is implemented, i.e. does it add information to any pre-existing VIA
header or replace it, the header could contain information about other
intermediate Proxies.
Probably the best you can do is determine that the request originated
outside your domain rather than getting an absolute determination of the
ultimate client's IP number. Bear in mind that if the incoming request came
through another proxy server your Apache Proxy would see the request as
coming from that other proxy's IP number and have no way of determining the
ultimate origin of the request.
Best of luck.
>Thanks.
>
>Fritz Mesedilla
>Systems Administrator
>
>Summit Interactive, Inc.
>FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
>femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
>
>Palm Pilot Software: TVSked - Download from the link below
>---------------------------------------------------------------------------
-
>http://mesedilla.tripod.com           +Basta Ikaw Lord
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )