Support for X-HTTPD-FORWARDED-FOR Re: [Zope-dev] Speaking of 2.6...

Jim Washington jwashin@vt.edu
Thu, 11 Apr 2002 09:01:33 -0400


Toby Dickenson wrote:

>On Wed, 10 Apr 2002 12:16:35 -0400, Jim Washington <jwashin@vt.edu>
>wrote:
>
>>2.  If we want to get fancy about allowing authentication using that ip 
>>address like naked ZServers can do,
>>
>
>>to
>>
>>if request.has_key('HTTP_X_FORWARDED_FOR'):
>>      addr=request['HTTP_X_FORWARDED_FOR']
>>   elif request.has_key('REMOTE_ADDR'):
>>      addr=request['REMOTE_ADDR']
>>
>
>There are lots of things that use REMOTE_ADDR, and I guess they should
>*all* use the proxy supplied address rather than the address of the
>proxy. It makes sense to me that we should *replace* REMOTE_ADDR with
>HTTP_X_FORWARDED_FOR at the earliest opportunity. (and create a
>X_FORWARDED_BY)
>
>Have you considered this approach?
>
Not yet, but I like the idea...  As with Oliver's reply, this I think 
would need some research.  I will be refining what I mean by "support" 
in the subject line shortly.

>
>
>On Wed, 10 Apr 2002 18:59:38 +0200, Oliver Bleutgen <myzope@gmx.net>
>wrote:
>
>>Correct me if I'm wrong, but this IMO makes spoofing against a naked 
>>ZServer a childs play.
>>
>
>Thats correct for a naked ZServer, or if behind a proxy which does not
>sanitize the X-FORWARDED-FOR header. However it is safe if the request
>comes from the right kind of proxy.
>
>I think we need a new command line option to specify a list of IP
>addresses which are trusted to run 'the right kind of proxy'. Zope
>should only trust the X-FORWARDED-FOR header if the remote address is
>one of its trusted proxies.
>
>Pseudocode for handling this would be:
>
>if request['REMOTE_ADDR'] in our_trusted_front_end_proxies:
>    request['HTTP_X_FORWARDED_BY'] = request['REMOTE_ADDR']
>    request['REMOTE_ADDR'] = request['HTTP_X_FORWARDED_FOR']
>
Excellent!  Except for command-line bloat.  With Matt Behrens's config 
proposal 
(http://dev.zope.org/Wikis/DevSite/Proposals/InstallationAndConfiguration), 
this nevertheless could be workable.  Things are looking up.  Maybe. 
 Ummmm..., more research...

-- Jim Washington