From: Teemu A. <te...@io...> - 2005-04-19 15:50:40
|
> Teemu recently committed a change to OI2::Request to add a property of > 'forwarded_for' so adapters can store the actual IP address rather > than just pass the proxy address back. I'm not sure if any adapter > changes were made though. Yes, now you can access the X-Forwarded-For which is set by most proxies (like squid) when a request passes through: CTX->request->forwarded_for Which ususally contains something like this: 125.12.154.2, Unknown, 142.111.123.123, 212.222.21.4 where 125.* is set by your farest proxy and 127.* is set by your nearest proxy (for example, one in localhost). It's up to you to decide which one these to trust. I haven't implemented anything additional adapter functionality or such to override what you have in CTX->request->remote_host I think a server.ini configuration parameter which sets the number of trusted steps backwards in the forwarded_for chain would do it. Something like: trusted_proxies = 2 Would set 142.111.123.123 as the clients real IP address, as you know that both 142.* and 212.* were provided by proxies you control and there is no way to access your server through any other IP address. This is important: it's easy to forge the X-Forwarded-For to what ever you want if you can access the server directly. Regards, Teemu Arina Dicole Komeetankuja 4 A 02210 Espoo FINLAND Tel: +358-(0)50 - 555 7636 skype: infe00 Corporate website: http://www.dicole.com FLOSS in education blog: http://flosse.dicole.org Personal weblog: http://infedelic.blogspot.com "Discover, collaborate, learn." |