Re: [Openinteract-help] OpenInteract::ProxyRemoteAddr

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> Teemu recently committed a change to OI2::Request to add a property of
> 'forwarded_for' so adapters can store the actual IP address rather
> than just pass the proxy address back. I'm not sure if any adapter
> changes were made though.

Yes, now you can access the X-Forwarded-For which is set by most proxies
(like squid) when a request passes through:

CTX->request->forwarded_for

Which ususally contains something like this:

125.12.154.2, Unknown, 142.111.123.123, 212.222.21.4

where 125.* is set by your farest proxy and 127.* is set by your nearest proxy
(for example, one in localhost).

It's up to you to decide which one these to trust. I haven't implemented anything
additional adapter functionality or such to override what you have in
CTX->request->remote_host

I think a server.ini configuration parameter which sets the number of trusted steps
backwards in the forwarded_for chain would do it.

Something like:
trusted_proxies = 2

Would set 142.111.123.123 as the clients real IP address, as you know that both 142.* and 212.*
were provided by proxies you control and there is no way to access your server through any
other IP address. This is important: it's easy to forge the X-Forwarded-For to what ever you want
if you can access the server directly.

Regards,

Teemu Arina

Dicole
Komeetankuja 4 A
02210 Espoo
FINLAND
Tel: +358-(0)50 - 555 7636
skype: infe00
Corporate website: http://www.dicole.com
FLOSS in education blog: http://flosse.dicole.org
Personal weblog: http://infedelic.blogspot.com

"Discover, collaborate, learn."