From 8f065bba6b262fe7b1bfde15e70bcbc7e4602a48 Mon Sep 17 00:00:00 2001 From: Adrian Holovaty Date: Fri, 18 Aug 2006 03:12:36 +0000 Subject: [PATCH] Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37 --- django/middleware/http.py | 24 ++++++++++++++++++++++++ docs/middleware.txt | 18 +++++++++++++++++- 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/django/middleware/http.py b/django/middleware/http.py index 12d0c0f6836..3ebd8ffd1ab 100644 --- a/django/middleware/http.py +++ b/django/middleware/http.py @@ -35,3 +35,27 @@ class ConditionalGetMiddleware(object): response.content = '' return response + +class SetRemoteAddrFromForwardedFor(object): + """ + Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the + latter is set. This is useful if you're sitting behind a reverse proxy that + causes each request's REMOTE_ADDR to be set to 127.0.0.1. + + Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind + a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use + this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and + because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means + anybody can "fake" their IP address. Only use this when you can absolutely + trust the value of HTTP_X_FORWARDED_FOR. + """ + def process_request(self, request): + try: + real_ip = request.META['HTTP_X_FORWARDED_FOR'] + except KeyError: + return None + else: + # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. + # Take just the first one. + real_ip = real_ip.split(",")[0] + request.META['REMOTE_ADDR'] = real_ip diff --git a/docs/middleware.txt b/docs/middleware.txt index bad00fd890c..efc4d895699 100644 --- a/docs/middleware.txt +++ b/docs/middleware.txt @@ -63,7 +63,7 @@ Adds a few conveniences for perfectionists: last component in the path contains a period. So ``foo.com/bar`` is redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed through unchanged. - + If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be redirected to the same URL with a leading "www." @@ -101,6 +101,22 @@ Handles conditional GET operations. If the response has a ``ETag`` or Also removes the content from any response to a HEAD request and sets the ``Date`` and ``Content-Length`` response-headers. +django.middleware.http.SetRemoteAddrFromForwardedFor +---------------------------------------------------- + +**New in Django development version** + +Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``, +if the latter is set. This is useful if you're sitting behind a reverse proxy +that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``. + +**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're +not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do +not use this middleware. Anybody can spoof the value of +``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on +``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only +use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``. + django.contrib.sessions.middleware.SessionMiddleware ----------------------------------------------------