[Zope] remote address

Steve Spicklemire steve@spvi.com
Sat, 15 Sep 2001 12:17:08 -0500 

Hi Fritz,

	I believe that recent versions of Apache have ProxyVia which does 
essentially the same thing.

-steve

On Saturday, September 15, 2001, at 02:03 AM, Fritz Mesedilla wrote:

> Oh I get it!
> Thanks. I will take a look at squid.
>
> Fritz Mesedilla
> Systems Administrator
>
> Summit Interactive, Inc.
> FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
> femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
>
> Palm Pilot Software: TVSked - Download from the link below
> ----------------------------------------------------------------------------
> http://mesedilla.tripod.com           +Basta Ikaw Lord
> -----Original Message-----
> From: Richard Barrett [mailto:R.Barrett@ftel.co.uk]
> Sent: Friday, September 14, 2001 8:40 PM
> To: fritz.mesedilla@summitmedia.com.ph; zope@zope.org
> Subject: Re: [Zope] remote address
>
>
> Further to my earlier post, what follows is extracted from the on-line
> documentation for the Squid caching proxy server (see
> http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.17) which you could 
> use
> instead of Apache to front your Zope server.
> Of note is that squid optionally adds a non-standard HTTP header to 
> pass on
> the IP number it received the request from but the squid FAQ correctly
> warns about depending on this information as the basis for access 
> control.
> What is supplied in this header is at best informational.
> Squid FAQ says: ----------------------------
> 4.17 What is ``HTTP_X_FORWARDED_FOR''? Why does squid provide it to WWW
> servers, and how can I stop it?
> When a proxy-cache is used, a server does not see the connection coming
> from the originating client. Many people like to implement access 
> controls
> based on the client address. To accommodate these people, Squid adds its
> own request header called "X-Forwarded-For" which looks like this:
>          X-Forwarded-For: 128.138.243.150, unknown, 192.52.106.30
> Entries are always IP addresses, or the word 'unknown' if the address 
> could
> not be determined or if it has been disabled with the forwarded_for
> configuration option.
> We must note that access controls based on this header are extremely 
> weak
> and simple to fake. Anyone may hand-enter a request with any IP address
> whatsoever. This is perhaps the reason why client IP addresses have been
> omitted from the HTTP/1.1 specification.
> --------------------------------------------
> At 14:19 14/09/2001 +0800, Fritz Mesedilla wrote:
>> My setup right now has apache in front then zope.
>> When I do a <dtml-var REMOTE_ADDR> it gives the address of the apache
>> server.
>> Is there a way to get the address of the visitor and not the apache 
>> server?
> There is a patch for Apache which leads it, when acting as a Proxy, to
> forward the incoming request information it is seeing in an HTTP VIA 
> header
> (See RFC2616) which it adds to the request. There is info about this 
> patch
> at http://www.zope.org/Members/unfo/apache_zserver_ssl but I've not yet
> used it myself.
> Using this makes things a bit messy, which is why I'm not going with it
> yet, as you would have to look in REMOTE_ADDR and if that contained your
> Proxy Apache's IP number then test against the VIA header. The problem 
> is
> that this HTTP header was not intended for forwarding information about 
> the
> originating client but for adding information about intermediate proxies
> and gateways that have handled the incoming request. Depending on how 
> the
> patch is implemented, i.e. does it add information to any pre-existing 
> VIA
> header or replace it, the header could contain information about other
> intermediate Proxies.
> Probably the best you can do is determine that the request originated
> outside your domain rather than getting an absolute determination of the
> ultimate client's IP number. Bear in mind that if the incoming request 
> came
> through another proxy server your Apache Proxy would see the request as
> coming from that other proxy's IP number and have no way of determining 
> the
> ultimate origin of the request.
> Best of luck.
>> Thanks.
>>
>> Fritz Mesedilla
>> Systems Administrator
>>
>> Summit Interactive, Inc.
>> FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
>> femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph
>>
>> Palm Pilot Software: TVSked - Download from the link below
>> ---------------------------------------------------------------------------
> -
>> http://mesedilla.tripod.com           +Basta Ikaw Lord
>>
>>
>> _______________________________________________
>> Zope maillist  -  Zope@zope.org
>> http://lists.zope.org/mailman/listinfo/zope
>> **   No cross posts or HTML encoding!  **
>> (Related lists -
>>  http://lists.zope.org/mailman/listinfo/zope-announce
>>  http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )