[Zope] accessing REMOTE_ADDR

Fritz Mesedilla fritz.mesedilla@summitmedia.com.ph
Wed, 3 Oct 2001 13:27:13 +0800


In our need for the IP address of the visitor, we want to know if the error
we received was produced by our own testing or by a valid visitor.

By the way, we only hope to get a visitor's IP address when that visitor
encounters an error and zope automatically emails our support team.

Thus, it has a definite purpose.

Thanks anyway.

Cheers,

Fritz Mesedilla
www.mesedilla.com

Summit Interactive, Inc.
fhm.com.ph, femalenework.com, candymag.com, ---
+Basta Ikaw Lord

-----Original Message-----
From: Richard Barrett [mailto:R.Barrett@ftel.co.uk]
Sent: Wednesday, October 03, 2001 12:29 AM
To: Timothy Wilson; Zope listserv
Subject: Re: [Zope] accessing REMOTE_ADDR


At 21:47 01/10/2001 -0500, Timothy Wilson wrote:
>Hi everyone,
>
>I've been messing around with my Apache config and the ProxyVia directive
>and searching the mailing list archive. I have yet to find the definitive
>answer to this question:
>
>Is it possible to retrieve the actual IP address of the site visitor when
>using Zope with Apache ProxyPass or Rewrite rules (without patching
Apache)?
In the case of mod_proxy and without patching the answer is no.
In the case of mod_rewrite the answer is maybe and depends on your
rewriting rule and the flags (see
http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html#RewriteRule) on the
rule that is matched to the URL.
If your rewriting causes a redirection (the R flag) then the rewritten URL
is sent back to the users' browser as part of the HTTP 302 Response. The
browser then automatically requests this revised URL and as a consequence
the server can see in REMOTE_ADDR the IP number at which the incoming
connection originated; of course this may or may not be the IP number of
the machine on which the user's browser is running. It could be the IP
number of the outgoing HTTP proxy server for the network to which the
user's machine is connected, amongst other things.
If rewriting causes mod_proxy also to be used (the P flag) then the
rewritten URL is requested by mod_proxy and the results if the request are
sent back to the user's bowser. In these circumstances the sever will see
in REMOTE_ADDR the IP number of the machine running Apache.
The question you have to ask yourself is: why do I care what the IP number
of the machine running the user's browser is? What benefit do you expect
you application to derive from knowing this IP number?
When it comes down to it you can only say with certainty:
1. Whatever IP number your server is supplied with it should not trust it.
The IP number should not form the basis of any security measures intended
to protect your web site from unwelcome access.
2. Increasingly, and probably mainly, the machine on which your client's
browser is running will itself be hiding behind some sort of firewall with
some sort of HTTP proxy on that firewall through which all outgoing browser
requests pass. It may be soemthing as simple as a DSL Router which uses NAT
to allow multiple machines to share the single DSL internet connection. The
whole purpose of such proxies and routers is to hide user machines from the
hackers out there in webland; to not reveal the IP numbers on the lan
inside the firewall which, increasingly, are likely to be private IP
numbers and thus meaningless outside the user's local network. Thus all you
can determine is the IP number of the machine which originated the incoming
connection to your server. You cannot detemine whether or not this is a
real user's machine, an HTTP proxy on a firewall, the IP number of the
user's personal firewall machine which just did NAT on the request ...
3. There is no mechanism defined by the HTTP - the protocol that is - for
proxies to forward the IP number of the ultimate originator of a request
that your server receives; this is no accidental omission it reflects the
realities described in (2) above. At best, and assuming you control the
proxy server nearest your server, you can get that proxy server to tell you
the IP number at the other end of the incoming request it received and
caused it's request to your server: but we already know we cannot determine
whether that machine is running the user's browser or not.
My advice: give it up; like who cares what the IP number of the user's
machine is. If you are after security you've got to rely on the low grade
capabilities of Basic Authentication and its cookie cousins, or get some
serious protection by wrapping Basic Auth in SSL.
>Has anyone had success with this? I'm running Zope 2.3.2 on Linux with
>Apache 1.3.19. No matter what I try REMOTE_ADDR is still 127.0.0.1 and
>HTTP_VIA still contains the domain of my Web server. I'd love to hear that
>someone has been able to do this.
>
>-Tim
>
>--
>Tim Wilson      |   Visit Sibley online:   | Check out:
>Henry Sibley HS |  http://www.isd197.org   | http://www.zope.com
>W. St. Paul, MN |                          | http://slashdot.org
>wilson@visi.com |  <dtml-var pithy_quote>  | http://linux.com
>
>
>_______________________________________________
>Zope maillist  -  Zope@zope.org
>http://lists.zope.org/mailman/listinfo/zope
>**   No cross posts or HTML encoding!  **
>(Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )


_______________________________________________
Zope maillist  -  Zope@zope.org
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )