Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...

Toby Dickenson tdickenson@geminidataloggers.com
Thu, 11 Apr 2002 10:09:40 +0100


On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <jwashin@vt.edu>
wrote:

>2.  If we want to get fancy about allowing authentication using that ip=20
>address like naked ZServers can do,

>to
>
>if request.has_key('HTTP_X_FORWARDED_FOR'):
>       addr=3Drequest['HTTP_X_FORWARDED_FOR']
>    elif request.has_key('REMOTE_ADDR'):
>       addr=3Drequest['REMOTE_ADDR']

There are lots of things that use REMOTE_ADDR, and I guess they should
*all* use the proxy supplied address rather than the address of the
proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
X_FORWARDED_BY)

Have you considered this approach?


On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <myzope@gmx.net>
wrote:

>Correct me if I'm wrong, but this IMO makes spoofing against a naked=20
>ZServer a childs play.

Thats correct for a naked ZServer, or if behind a proxy which does not
sanitize the X-FORWARDED-FOR header. However it is safe if the request
comes from the right kind of proxy.

I think we need a new command line option to specify a list of IP
addresses which are trusted to run 'the right kind of proxy'. Zope
should only trust the X-FORWARDED-FOR header if the remote address is
one of its trusted proxies.

Pseudocode for handling this would be:

if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
    request['HTTP_X_FORWARDED_BY'] =3D request['REMOTE_ADDR']
    request['REMOTE_ADDR'] =3D request['HTTP_X_FORWARDED_FOR']




Toby Dickenson
tdickenson@geminidataloggers.com