[Zope] accessing REMOTE_ADDR

Richard Barrett R.Barrett@ftel.co.uk
Tue, 02 Oct 2001 19:54:56 +0100


At 12:42 02/10/2001 -0400, you wrote:
>On Tue, Oct 02, 2001 at 05:29:00PM +0100, Richard Barrett wrote:
> > At 21:47 01/10/2001 -0500, Timothy Wilson wrote:
> > >Hi everyone,
> > >
> > 2. Increasingly, and probably mainly, the machine on which your client's
> > browser is running will itself be hiding behind some sort of firewall with
> > some sort of HTTP proxy on that firewall through which all outgoing 
> browser
> > requests pass. It may be soemthing as simple as a DSL Router which uses 
> NAT
> > to allow multiple machines to share the single DSL internet connection. 
> The
> > whole purpose of such proxies and routers is to hide user machines from 
> the
> > hackers out there in webland; to not reveal the IP numbers on the lan
> > inside the firewall which, increasingly, are likely to be private IP
> > numbers and thus meaningless outside the user's local network. Thus all 
> you
> > can determine is the IP number of the machine which originated the 
> incoming
> > connection to your server. You cannot detemine whether or not this is a
> > real user's machine, an HTTP proxy on a firewall, the IP number of the
> > user's personal firewall machine which just did NAT on the request ...
>
>And here you have just bumped up against reason that 'who cares' is not
>correct.  Suppose you have a system that is behind a firewall and serves
>content of use to both people inside the firewall and outside it.
>Suppose further that you are reasonable and that your internal network
>has only martian addresses.  Then you will want to write URLs so that
>your internal users address the machine directly, without passing
>through the firewall or an additional proxy server.  You have to
>write external URLs to your firewall.

I'm afraid I'm not sure I fully grasp the point you are making in the last 
two sentences above. When you say "you will want to write URLs" do you mean 
"when dynamically rendering a page you will want to generate URLs"?

If so, then envisage the situation of my systems:

1. An Apache server visible both inside and outside a firewall. This Apache 
server proxies the Zope server inside the firewall as well as serving 
public content.

2. A Zope server visible only inside a firewall. This machine is directly 
visible to other machines inside the firewall but invisible to any machine 
outside the firewall. I want to make some of the Zope servers content 
available through the Apache server. Why, because I trust Apache more than 
Zope when I comes to dealing with random hacker attacks on servers.

Machines inside the firewall have the option of going direct to the Zope 
server using URL pattern 1 or via Apache with URL having a pattern 2 which 
is rewritten to pattern 3.

Machine outside the firewall can only reach the Zope server via Apache with 
the incoming URL having a pattern 2 which is rewritten to pattern 3.

This rewriting can be done using either mod_rewrite using a Rewrite rule 
with the P flag which hands off the rewritten URL to mod_proxy or by using 
a ProxyPass which goes direct to mod_proxy.

Example of these URL patterns look like;

Pattern 1: http://zopeserver.mydomain.com:8080/public/index.html

Pattern 2: http://www-my-apache-server.mydomain.com/onzope/public/index.html

Pattern 3: 
http://zopeserver.mydomain.com:8080/VirtualHostBase/http/www-my-apache-server.mydomain.com:80/VirtualHostRoot/_vh_onzope/public/index.html 


Zope's Virtual Host Monster handles the problem of dynamically generating 
absolute URLs appropriate to the incoming request. Suppose that in what 
index_html generates I refer to the absolute URL of a document called 
fred_html in a sub-directory called jim below public then Zope's output 
will appropriate.

If I addressed index_html as 
http://zopeserver.mydomain.com:8080/public/index.html no rewriting takes 
place because Apache doesn't see the request. Zope sees this as the 
incoming request URL. The VHM does not interfere with the generation of 
http://zopeserver.mydomain.com:8080/public/jim/fred.html which is what we 
want in the output.

On the other hand, if I addressed index_html as 
http://www-my-apache-server.mydomain.com/onzope/public/index.html then 
Apache translates this to 
http://zopeserver.mydomain.com:8080/VirtualHostBase/http/www-my-apache-server.mydomain.com:80/VirtualHostRoot/_vh_onzope/public/index.html 
which is what it puts in the request to Zope. The Zope server sees the 
translation as the incoming URL. This gives the VHM the information it 
needs to both traverse to the right page (i.e. to /public/index.html) and 
to generate 
http://www-my-apache-server.mydomain.com/onzope/public/jim/fred.html, which 
is also what we want in the output.

Like I said, who cares what the IP number of our user's machine is. What we 
respond to is the way the information is asked for, i.e.the URL being 
requested. The advantage with VHM used this way is your code doesn't have 
to care about proxying and IP numbers and stuff. Just install a VHM at the 
root of your Zope. As long as you consistently only use either properly 
relative URLs ('../../this/that_html')or URLs returned by Zope's 
absolute_URL function (with the call parameter left at its default 
'relative=0') it all works automagically.

The guy who wrote the VHM did a really neat job.

As a final point, suppose you still really want to generate different 
output for folks inside and outside the firewall. If outsiders only can get 
in via proxy server(s) on your firewall we have the lever we need. If the 
IP number of the connection through which Zope got the request shows the 
connection to Zope came from the IP number(s) of the proxy servers(s) then 
act as if the requestor is an outsider. If internal users behave like 
outsiders by coming through the proxy, then just treat them like outsiders. 
The test is fast and simple. Alternatively use more complex Rewrite rules 
to control which content or version of content on the Zope server can be 
seen via the proxy. We don't care where they came from, we just care how 
they got here.

>Note, you are making no security decision on the IP at all (although you
>can reasonably safely make a distinction between martian/non-martian).
>You are making an efficiency and possibly a latency decision.
>
>Jim Penny
>
> >
> > My advice: give it up; like who cares what the IP number of the user's
> > machine is. If you are after security you've got to rely on the low grade
> > capabilities of Basic Authentication and its cookie cousins, or get some
> > serious protection by wrapping Basic Auth in SSL.
> >
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )