[Web-SIG] REMOTE_ADDR and proxys

Alan Kennedy alan at xhaus.com
Wed Sep 24 21:16:09 CEST 2014 

[Collin]
> It seems to me, it is the role of the server/gateway, not the
> application/framework to determine the "correct" client ip address and
> correctly account for the situation of being behind a known proxy.

I disagreee. I think it is the role of the server/gateway to represent the
actual incoming HTTP request as accurately as possible.

If the application knows about remote proxies and local reverse proxies,
then it can take action accordingly.

But the server should not attempt any magic: it is up to the application to
interpret the request in whatever way it sees fit.

[Collin]
> Also, I am aware of the security issues of improperly handling
> X-Forwarded-For, but that's an issue no matter where it's being
> handled.

This is exactly why the server/gateway should refuse the temptation to
guess. It should leave it to the application to be smart enough to handle
all scenarios appropriately, knowing that it has access to the original
unmodified request.

If want to the magic rewriting functionality to be isolated from the
application, then it could easily be implemented as middleware.

Alan.


On Wed, Sep 10, 2014 at 7:41 PM, Collin Anderson <cmawebsite at gmail.com>
wrote:

> Hi All,
>
> The CGI spec says:
>
> Script authors should be aware that the REMOTE_ADDR and REMOTE_HOST
> meta-variables (see sections 4.1.8 and 4.1.9) may not identify the
> ultimate source of the request.  They identify the client for the
> immediate request to the server; that client may be a proxy, gateway,
> or other intermediary acting on behalf of the actual source client.
>
> However, if the there is a revere proxy on the server side (such as
> nginx), it seems to me, the ip address of the "immediate request to
> the server" will be "127.0.0.1" and the actual address will be in an
> "X-Forwarded-For" header.
>
> It seems to me, it is the role of the server/gateway, not the
> application/framework to determine the "correct" client ip address and
> correctly account for the situation of being behind a known proxy.
>
> Also, I am aware of the security issues of improperly handling
> X-Forwarded-For, but that's an issue no matter where it's being
> handled.
>
> So, in the case of a reverse proxy, is it ok if the WSGI server sends
> back a REMOTE_ADDR that isn't 127.0.0.1, even if it's the immediate
> connection to the WSGI server is local?
>
> Basically can we interpret the "server" above to be the machine rather
> than the program?
>
> Thanks,
> Collin
> _______________________________________________
> Web-SIG mailing list
> Web-SIG at python.org
> Web SIG: http://www.python.org/sigs/web-sig
> Unsubscribe:
> https://mail.python.org/mailman/options/web-sig/alan%40xhaus.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/web-sig/attachments/20140924/2f36a0a0/attachment.html>

More information about the Web-SIG mailing list