From mboxrd@z Thu Jan 1 00:00:00 1970 Delivered-To: chneukirchen@gmail.com Received: by 10.229.225.21 with SMTP id iq21cs92380qcb; Sun, 28 Nov 2010 07:22:25 -0800 (PST) Return-Path: Received-SPF: pass (google.com: domain of rack-devel+bncCJvCqoiFBRCv58nnBBoEfK0-lg@googlegroups.com designates 10.220.170.201 as permitted sender) client-ip=10.220.170.201; Authentication-Results: mr.google.com; spf=pass (google.com: domain of rack-devel+bncCJvCqoiFBRCv58nnBBoEfK0-lg@googlegroups.com designates 10.220.170.201 as permitted sender) smtp.mail=rack-devel+bncCJvCqoiFBRCv58nnBBoEfK0-lg@googlegroups.com; dkim=pass header.i=rack-devel+bncCJvCqoiFBRCv58nnBBoEfK0-lg@googlegroups.com Received: from mr.google.com ([10.220.170.201]) by 10.220.170.201 with SMTP id e9mr689647vcz.20.1290957745308 (num_hops = 1); Sun, 28 Nov 2010 07:22:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=beta; h=domainkey-signature:received:x-beenthere:received:received:received :received:received-spf:received:x-virus-scanned:received:received :subject:from:to:in-reply-to:references:content-type:date:message-id :mime-version:x-mailer:x-original-sender :x-original-authentication-results:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:sender:list-subscribe :list-unsubscribe; bh=UOg/rMgFWwVYoScp24FdXM5TyChs+PTJbvCcM2i/fYs=; b=jz/fIZBhJIYY2DM+2kxm/E4xek3t4Y7hhGInH7y9TnRHfDwztVTTDdgKRhCPx1pkXM AuLjc+x84tehD87uP+9CrDwpfB3Am4nYIBnBV3FV4eofUUb8G7DQzlP229vbOLcJleNO fYSRL36Dy8XztPHWWfC52s+/SJe63nHGDEK5w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlegroups.com; s=beta; h=x-beenthere:received-spf:x-virus-scanned:subject:from:to :in-reply-to:references:content-type:date:message-id:mime-version :x-mailer:x-original-sender:x-original-authentication-results :reply-to:precedence:mailing-list:list-id:list-post:list-help :list-archive:sender:list-subscribe:list-unsubscribe; b=aD2PzLYx9IyKEgTVuVoSr8KwksYj6czvvYsKqPap0ltkdk4be+xM7Kll0TlU5FL0h/ mYm16WPZhHlM+m2uPzRlPi8efO/8OcAXRG4iLDMh7l0HVZBbJA41hSKrg5XZhUn9yNkJ hmuWjynf8BkkGf4zl6NmgNTKNxGjsprtO13LE= Received: by 10.220.170.201 with SMTP id e9mr147703vcz.20.1290957743287; Sun, 28 Nov 2010 07:22:23 -0800 (PST) X-BeenThere: rack-devel@googlegroups.com Received: by 10.220.158.5 with SMTP id d5ls420836vcx.2.p; Sun, 28 Nov 2010 07:22:21 -0800 (PST) Received: by 10.220.186.73 with SMTP id cr9mr1930824vcb.5.1290957741701; Sun, 28 Nov 2010 07:22:21 -0800 (PST) Received: by 10.220.186.73 with SMTP id cr9mr1930823vcb.5.1290957741672; Sun, 28 Nov 2010 07:22:21 -0800 (PST) Received: from benvolio.jonathanleighton.com (benvolio.jonathanleighton.com [173.255.230.218]) by gmr-mx.google.com with ESMTP id a11si179842vci.7.2010.11.28.07.22.20; Sun, 28 Nov 2010 07:22:20 -0800 (PST) Received-SPF: pass (google.com: domain of j@jonathanleighton.com designates 173.255.230.218 as permitted sender) client-ip=173.255.230.218; Received: from localhost (benvolio.jonathanleighton.com [127.0.0.1]) by benvolio.jonathanleighton.com (iRedMail) with ESMTP id 10CB5A7F4 for ; Sun, 28 Nov 2010 15:22:20 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at benvolio.jonathanleighton.com Received: from benvolio.jonathanleighton.com ([127.0.0.1]) by localhost (benvolio.jonathanleighton.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4iX+ETFTpKmA for ; Sun, 28 Nov 2010 15:22:19 +0000 (GMT) Received: from [192.168.1.146] (unknown [92.14.200.230]) by benvolio.jonathanleighton.com (iRedMail) with ESMTPSA id 138C9A3EB for ; Sun, 28 Nov 2010 15:22:18 +0000 (GMT) Subject: Re: Problem with redirects where a Rack app sits behind a proxy From: Jon Leighton To: rack-devel@googlegroups.com In-Reply-To: References: Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-Sv8pTp/gIYuJql8KXI3c" Date: Sun, 28 Nov 2010 15:22:16 +0000 Message-ID: <1290957736.10339.4.camel@tybalt> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 X-Original-Sender: j@jonathanleighton.com X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of j@jonathanleighton.com designates 173.255.230.218 as permitted sender) smtp.mail=j@jonathanleighton.com; dkim=pass header.i=@jonathanleighton.com Reply-To: rack-devel@googlegroups.com Precedence: list Mailing-list: list rack-devel@googlegroups.com; contact rack-devel+owners@googlegroups.com List-ID: List-Post: , List-Help: , List-Archive: Sender: rack-devel@googlegroups.com List-Subscribe: , List-Unsubscribe: , --=-Sv8pTp/gIYuJql8KXI3c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Lee, Thanks for your reply. I'm not entirely following though, so I wonder if there is some confusion. For a start, this issue doesn't relate to X-Forwarded-For, but to X-Forwarded-Host and the SERVER_NAME and SERVER_PORT env variables set by the app servers. My basic complaint is that Rack is taking the absence of a ":port" section in X-Forwarded-For to mean "fall back to SERVER_PORT", when in fact I think it should be interpreted as "fall back to port 80 (or 443)". (Which is what Rails does.) See https://github.com/jonleighton/redirect_test/blob/master/README.md for more detail. Hope this makes sense. Cheers, Jon On Sun, 2010-11-28 at 15:46 +0100, Lee Hambley wrote: > Jon, it's the responsibility of your proxy to set X-Forwarded-For, and > of the Application to check :port if it cares about the real port, or > the X-Forwarded-For list in the case that you acknowledge the request > might be proxied. >=20 >=20 > Often XFF can be used to trick sites that use it for some `security` > (not your case) as the client can spoof it. >=20 >=20 > In case you use NGinx, at least you can specify to proxy transparently > (completely) - so your app wouldn't be any wiser. >=20 >=20 > Some proxies (Akamai) will also set a True-Client-IP header to the > value set last in XFF. >=20 >=20 > =E2=80=A2 http://en.wikipedia.org/wiki/X-Forwarded-For >=20 > Hope that makes sense Jon (would be nice to have a standard Ruby way > to look at the proxies & original client info from the `smart` places, > as it comes up for a lot of people. Here's a snippet of a nginx > backend configuration that solved this in the easiest way for me. > https://gist.github.com/46cc2ba95794f5c92693 >=20 >=20 > - Lee =20 >=20 > On 28 November 2010 15:21, Jon Leighton > wrote: > Hi there, > =20 > I have encountered a problem with redirects with Sinatra > proxied by > Apache. Basically, the port number of the backend application > server > (Mongrel or whatever) will appear in the Location header. > =20 > I've done a fairly extensive investigation here: > https://github.com/jonleighton/redirect_test > =20 > If you read README.md it basically explains everything in > detail, but > what it boils down to is this: Rack::Request#port is > incorrect, in > that it uses SERVER_PORT when no explicit port is given by > host_with_port. > =20 > Rails is not affected, since it implements its own > ActionDispatch::Request#port method. I believe the Rails > implementation is correct and should be implemented in Rack. > =20 > If people agree with this analysis then I'm happy to produce a > patch > against Rack. > =20 > Cheers, > Jon > =20 > -- > http://jonathanleighton.com/ >=20 >=20 --=20 http://jonathanleighton.com/ --=-Sv8pTp/gIYuJql8KXI3c Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAABAgAGBQJM8nOhAAoJEIeyJN+tUcliGDsH/RZRJvctt6vXtWXDCToU2SNC bYhwViUOUM7tU2XTYK5BZ++KYmGLASKafizGDTVfnyLq+ctOrroHuA3+FowooJBi ndnjxxBC8NNpavIAounF6R5+QAP1UjHnvw+YAgj+82V9ReYaSH56HW6sM+gixLG/ rN/OKiHTl0LuPIq4bHxc8zDdMUg7vSebGRBvy/6fbe/scOJCnlUSqc8GL250+LgQ 5LFQvTsYTuTT4uoEkI53u9L+9K8Zgt9wmo9Zalg0iR+Et4LYGu57eWY2t7PuFmWi 7G+gml2KWgrM9skGxBTiR5ogbX+DqnChlF6jYKh5klGDeM4nIJRPQObYIdFqgMI= =gdsS -----END PGP SIGNATURE----- --=-Sv8pTp/gIYuJql8KXI3c--