[Zope] accessing REMOTE_ADDR

Richard Barrett R.Barrett@ftel.co.uk
Thu, 04 Oct 2001 18:45:37 +0100


At 09:03 04/10/2001 -0600, Bill Anderson wrote:
>On Tue, 2001-10-02 at 10:29, Richard Barrett wrote:
> > At 21:47 01/10/2001 -0500, Timothy Wilson wrote:
> > >Hi everyone,
> > >
> > >I've been messing around with my Apache config and the ProxyVia directive
> > >and searching the mailing list archive. I have yet to find the definitive
> > >answer to this question:
> > >
> > >Is it possible to retrieve the actual IP address of the site visitor when
> > >using Zope with Apache ProxyPass or Rewrite rules (without patching 
> Apache)?
> >
> > In the case of mod_proxy and without patching the answer is no.
>
>Sorry, that is wrong.
>
>
>I am using apache 1.3.19, ProxyPass, and have the ProxyVia directive
>turned to full, and it works just fine.
>
>ProxyVia full
>goes in the VirtualHost section in your httpd.conf file.

If you are using vanilla Apache I think you will find that in a proxied 
request Zope will see the REMOTE_ADDR environment variable containing the 
IP number of the Apache server and that there is also a VIA header inserted 
containing the IP info of the Apache server and its version information. 
The former is because that is where Zope saw the incoming connection come 
from. The latter is what Apache is supposed to put in a VIA header if 
ProxyVia is 'On' or 'Full'. Nothing in what is passed to Zope identifies 
the IP number of the machine originating the request coming in to Apache. 
Well that is what Apache 1.3.14 under Suse Linux 7.2 does for me. This is 
with straight Apache proxying for a separate Zope server. I've no idea what 
you get with a fastcgi or pcgi hookup between Apache and Zope.

>Now, I am not using ModRewrite, so there *may* be some issues with that.
>

If instead of mod_proxy and ProxyPass I use mod_rewrite with a RewriteRule 
having a P (proxy) flag I get the same results. No surprise there.

>...
>
> > My advice: give it up; like who cares what the IP number of the user's
> > machine is. If you are after security you've got to rely on the low grade
> > capabilities of Basic Authentication and its cookie cousins, or get some
> > serious protection by wrapping Basic Auth in SSL.
>
>Again, not completely true. if you use IP addresses for security
>purposes, your primary concern is spoofed IPs, If your OS allows it
>(such as Linux), you can block nearly all spoofed IP attempts.
>
>Bill

The point I was making is that in the general internet case you have no way 
of reliably determining the IP number of the machine running the client 
browser which originated an HTTP Request which, finally, your server is 
responding it. The proliferation of NAT and Proxies between the ultimate 
client and the ultimate server prevents this information being available. 
Thus you cannot base a security strategy on the IP number of the machine 
the site visitor was running his browser on.

Consider what use the server can make of the IP number of a client with a 
private IP number that can only reach the server through a proxy on the 
border of the client's home domain; there are potentially a gazillion 
machines with the IP number 172.16.5.70 and all of them have different 
hostnames within their local domain. Even if you had the IP number the 
information content is zero.

Even when you are servicing the incoming request in an Apache or Zope 
server directly connected to the internet you can only know the IP number 
of the machine at the other end of the incoming connection. In many, maybe 
most cases of connections over the internet this is not the IP number of 
the machine running the client browser which made the original request.

HTTP 1.1 (RFC2616) quite specifically provides no mechanism for carrying 
the IP number of the initiating client forward through intermediate HTTP 
proxies; there is no request header defined to carry the information; 
intervening proxies, even those that are HTTP aware, have no defined place 
to put the information. And even if there were somewhere to put it you 
could not have any confidence in what it told you. Trivial code on any 
intermediate machine can manipulate HTTP headers undetectably unless your 
are using SSL.

There are patches to Apache which will, when Apache is proxying, put the IP 
number from which it saw the incoming request come into a VIA header. This 
is an abuse of this header which is defined to accumulate data about 
intermediate proxies handling a request for purely informational purposes. 
Squid can likewise insert a non-standard header X-Forwarded-For header; I 
believe there is also a patch to get Apache to insert a  X-Forwarded-For 
header instead of a dodgy VIA.

If you use these AND control the proxy machine you can get a fairly 
reliable read of the IP number of the machine that made the request to the 
proxy server BUT, in the general internet case, that is not going to be the 
same thing as the IP number of the machine on which the user's browser was 
running. However, in some case it may be useful.

Say you want your server to behave differently for clients inside your 
local network/home domain and those machines may come come direct to Zope 
or via you Apache server as proxy. Then doing reverse DNS lookups of the 
REMOTE_ADDR, falling back to a reverse DNS lookup of the X-Forwarded-For 
header if the REMOTE_ADDR is that of your Apache proxy server, can give a 
reasonably reliable confirmation that the request came from a machine in 
your local network.