Django

Code

Changeset 3602

Show
Ignore:
Timestamp:
08/17/06 22:12:36 (2 years ago)
Author:
adrian
Message:

Fixed #2552 -- Added SetRemoteAddrFromForwardedFor? middleware and documentation. Thanks, Ian Holsman

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • django/trunk/django/middleware/http.py

    r3171 r3602  
    3636 
    3737        return response 
     38 
     39class SetRemoteAddrFromForwardedFor(object): 
     40    """ 
     41    Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the 
     42    latter is set. This is useful if you're sitting behind a reverse proxy that 
     43    causes each request's REMOTE_ADDR to be set to 127.0.0.1. 
     44 
     45    Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind 
     46    a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use 
     47    this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and 
     48    because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means 
     49    anybody can "fake" their IP address. Only use this when you can absolutely 
     50    trust the value of HTTP_X_FORWARDED_FOR. 
     51    """ 
     52    def process_request(self, request): 
     53        try: 
     54            real_ip = request.META['HTTP_X_FORWARDED_FOR'] 
     55        except KeyError: 
     56            return None 
     57        else: 
     58            # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. 
     59            # Take just the first one. 
     60            real_ip = real_ip.split(",")[0] 
     61            request.META['REMOTE_ADDR'] = real_ip 

  • django/trunk/docs/middleware.txt

    r2980 r3602  
    6464  redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed 
    6565  through unchanged. 
    66    
     66 
    6767  If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be 
    6868  redirected to the same URL with a leading "www." 
     
    101101Also removes the content from any response to a HEAD request and sets the 
    102102``Date`` and ``Content-Length`` response-headers. 
     103 
     104django.middleware.http.SetRemoteAddrFromForwardedFor 
     105---------------------------------------------------- 
     106 
     107**New in Django development version** 
     108 
     109Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``, 
     110if the latter is set. This is useful if you're sitting behind a reverse proxy 
     111that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``. 
     112 
     113**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're 
     114not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do 
     115not use this middleware. Anybody can spoof the value of 
     116``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on 
     117``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only 
     118use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``. 
    103119 
    104120django.contrib.sessions.middleware.SessionMiddleware