[Zope] accessing REMOTE_ADDR

Richard Barrett R.Barrett@ftel.co.uk
Tue, 02 Oct 2001 17:29:00 +0100


At 21:47 01/10/2001 -0500, Timothy Wilson wrote:
>Hi everyone,
>
>I've been messing around with my Apache config and the ProxyVia directive
>and searching the mailing list archive. I have yet to find the definitive
>answer to this question:
>
>Is it possible to retrieve the actual IP address of the site visitor when
>using Zope with Apache ProxyPass or Rewrite rules (without patching Apache)?

In the case of mod_proxy and without patching the answer is no.

In the case of mod_rewrite the answer is maybe and depends on your 
rewriting rule and the flags (see 
http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#RewriteRule) on the 
rule that is matched to the URL.

If your rewriting causes a redirection (the R flag) then the rewritten URL 
is sent back to the users' browser as part of the HTTP 302 Response. The 
browser then automatically requests this revised URL and as a consequence 
the server can see in REMOTE_ADDR the IP number at which the incoming 
connection originated; of course this may or may not be the IP number of 
the machine on which the user's browser is running. It could be the IP 
number of the outgoing HTTP proxy server for the network to which the 
user's machine is connected, amongst other things.

If rewriting causes mod_proxy also to be used (the P flag) then the 
rewritten URL is requested by mod_proxy and the results if the request are 
sent back to the user's bowser. In these circumstances the sever will see 
in REMOTE_ADDR the IP number of the machine running Apache.

The question you have to ask yourself is: why do I care what the IP number 
of the machine running the user's browser is? What benefit do you expect 
you application to derive from knowing this IP number?

When it comes down to it you can only say with certainty:

1. Whatever IP number your server is supplied with it should not trust it. 
The IP number should not form the basis of any security measures intended 
to protect your web site from unwelcome access.

2. Increasingly, and probably mainly, the machine on which your client's 
browser is running will itself be hiding behind some sort of firewall with 
some sort of HTTP proxy on that firewall through which all outgoing browser 
requests pass. It may be soemthing as simple as a DSL Router which uses NAT 
to allow multiple machines to share the single DSL internet connection. The 
whole purpose of such proxies and routers is to hide user machines from the 
hackers out there in webland; to not reveal the IP numbers on the lan 
inside the firewall which, increasingly, are likely to be private IP 
numbers and thus meaningless outside the user's local network. Thus all you 
can determine is the IP number of the machine which originated the incoming 
connection to your server. You cannot detemine whether or not this is a 
real user's machine, an HTTP proxy on a firewall, the IP number of the 
user's personal firewall machine which just did NAT on the request ...

3. There is no mechanism defined by the HTTP - the protocol that is - for 
proxies to forward the IP number of the ultimate originator of a request 
that your server receives; this is no accidental omission it reflects the 
realities described in (2) above. At best, and assuming you control the 
proxy server nearest your server, you can get that proxy server to tell you 
the IP number at the other end of the incoming request it received and 
caused it's request to your server: but we already know we cannot determine 
whether that machine is running the user's browser or not.

My advice: give it up; like who cares what the IP number of the user's 
machine is. If you are after security you've got to rely on the low grade 
capabilities of Basic Authentication and its cookie cousins, or get some 
serious protection by wrapping Basic Auth in SSL.

>Has anyone had success with this? I'm running Zope 2.3.2 on Linux with
>Apache 1.3.19. No matter what I try REMOTE_ADDR is still 127.0.0.1 and
>HTTP_VIA still contains the domain of my Web server. I'd love to hear that
>someone has been able to do this.
>
>-Tim
>
>--
>Tim Wilson      |   Visit Sibley online:   | Check out:
>Henry Sibley HS |  http://www.isd197.org   | http://www.zope.com
>W. St. Paul, MN |                          | http://slashdot.org
>wilson@visi.com |  <dtml-var pithy_quote>  | http://linux.com
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )