Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
efa19ae8a7
commit
8f065bba6b
|
@ -35,3 +35,27 @@ class ConditionalGetMiddleware(object):
|
||||||
response.content = ''
|
response.content = ''
|
||||||
|
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
class SetRemoteAddrFromForwardedFor(object):
|
||||||
|
"""
|
||||||
|
Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
|
||||||
|
latter is set. This is useful if you're sitting behind a reverse proxy that
|
||||||
|
causes each request's REMOTE_ADDR to be set to 127.0.0.1.
|
||||||
|
|
||||||
|
Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
|
||||||
|
a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
|
||||||
|
this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
|
||||||
|
because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
|
||||||
|
anybody can "fake" their IP address. Only use this when you can absolutely
|
||||||
|
trust the value of HTTP_X_FORWARDED_FOR.
|
||||||
|
"""
|
||||||
|
def process_request(self, request):
|
||||||
|
try:
|
||||||
|
real_ip = request.META['HTTP_X_FORWARDED_FOR']
|
||||||
|
except KeyError:
|
||||||
|
return None
|
||||||
|
else:
|
||||||
|
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
|
||||||
|
# Take just the first one.
|
||||||
|
real_ip = real_ip.split(",")[0]
|
||||||
|
request.META['REMOTE_ADDR'] = real_ip
|
||||||
|
|
|
@ -63,7 +63,7 @@ Adds a few conveniences for perfectionists:
|
||||||
last component in the path contains a period. So ``foo.com/bar`` is
|
last component in the path contains a period. So ``foo.com/bar`` is
|
||||||
redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
|
redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
|
||||||
through unchanged.
|
through unchanged.
|
||||||
|
|
||||||
If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
|
If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
|
||||||
redirected to the same URL with a leading "www."
|
redirected to the same URL with a leading "www."
|
||||||
|
|
||||||
|
@ -101,6 +101,22 @@ Handles conditional GET operations. If the response has a ``ETag`` or
|
||||||
Also removes the content from any response to a HEAD request and sets the
|
Also removes the content from any response to a HEAD request and sets the
|
||||||
``Date`` and ``Content-Length`` response-headers.
|
``Date`` and ``Content-Length`` response-headers.
|
||||||
|
|
||||||
|
django.middleware.http.SetRemoteAddrFromForwardedFor
|
||||||
|
----------------------------------------------------
|
||||||
|
|
||||||
|
**New in Django development version**
|
||||||
|
|
||||||
|
Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``,
|
||||||
|
if the latter is set. This is useful if you're sitting behind a reverse proxy
|
||||||
|
that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``.
|
||||||
|
|
||||||
|
**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
|
||||||
|
not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
|
||||||
|
not use this middleware. Anybody can spoof the value of
|
||||||
|
``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
|
||||||
|
``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
|
||||||
|
use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
|
||||||
|
|
||||||
django.contrib.sessions.middleware.SessionMiddleware
|
django.contrib.sessions.middleware.SessionMiddleware
|
||||||
----------------------------------------------------
|
----------------------------------------------------
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue