rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
* Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header
@ 2009-09-13 15:52 Iñaki Baz Castillo
  2009-09-13 21:51 ` Michael Fellinger
  0 siblings, 1 reply; 5+ messages in thread
From: Iñaki Baz Castillo @ 2009-09-13 15:52 UTC (permalink / raw)
  To: rack-devel


Hi, usually when a http proxy routes a request it adds a "X-Forwarded-For: 
CLIENT_IP" to the request so the web server can know the client IP of the 
request.

In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
X-Forwarded-For header (if present).

However using Mongrel or Webrick handlers it doesn't occur and 
env[REMOTE_ADDR] is set to the http proxy IP.

Anyhow I don't see it described in Rack specifications so perhaps it's not 
mandatory.

-- 
Iñaki Baz Castillo <ibc@aliax.net>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of  "X-Forwarded-For" header
  2009-09-13 15:52 Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header Iñaki Baz Castillo
@ 2009-09-13 21:51 ` Michael Fellinger
  2009-09-13 22:08   ` Iñaki Baz Castillo
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Fellinger @ 2009-09-13 21:51 UTC (permalink / raw)
  To: rack-devel


On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>
> Hi, usually when a http proxy routes a request it adds a "X-Forwarded-For:
> CLIENT_IP" to the request so the web server can know the client IP of the
> request.
>
> In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
> X-Forwarded-For header (if present).
>
> However using Mongrel or Webrick handlers it doesn't occur and
> env[REMOTE_ADDR] is set to the http proxy IP.
>
> Anyhow I don't see it described in Rack specifications so perhaps it's not
> mandatory.

I think many frameworks actually show X-Forwarded-For instead of
REMOTE_ADDR if available via Request#ip, not sure whether overwriting
is a good idea, I'm not a fan of losing information.

>
> --
> Iñaki Baz Castillo <ibc@aliax.net>
>

-- 
Michael Fellinger
CTO, The Rubyists, LLC

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of  "X-Forwarded-For" header
  2009-09-13 21:51 ` Michael Fellinger
@ 2009-09-13 22:08   ` Iñaki Baz Castillo
  2009-09-13 22:14     ` Aman Gupta
  0 siblings, 1 reply; 5+ messages in thread
From: Iñaki Baz Castillo @ 2009-09-13 22:08 UTC (permalink / raw)
  To: rack-devel


El Domingo, 13 de Septiembre de 2009, Michael Fellinger escribió:
> On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
> > Hi, usually when a http proxy routes a request it adds a
> > "X-Forwarded-For: CLIENT_IP" to the request so the web server can know
> > the client IP of the request.
> >
> > In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
> > X-Forwarded-For header (if present).
> >
> > However using Mongrel or Webrick handlers it doesn't occur and
> > env[REMOTE_ADDR] is set to the http proxy IP.
> >
> > Anyhow I don't see it described in Rack specifications so perhaps it's
> > not mandatory.
> 
> I think many frameworks actually show X-Forwarded-For instead of
> REMOTE_ADDR if available via Request#ip, not sure whether overwriting
> is a good idea, I'm not a fan of losing information.

Yes, I agree. However I just woulud like to point the fact that whil Thin does 
it other don't do it, so Rack env["SERVER_ADDR"] is different depending on the 
used http server.

Regards.



-- 
Iñaki Baz Castillo <ibc@aliax.net>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of  "X-Forwarded-For" header
  2009-09-13 22:08   ` Iñaki Baz Castillo
@ 2009-09-13 22:14     ` Aman Gupta
  2009-09-13 22:44       ` Iñaki Baz Castillo
  0 siblings, 1 reply; 5+ messages in thread
From: Aman Gupta @ 2009-09-13 22:14 UTC (permalink / raw)
  To: rack-devel


On Sun, Sep 13, 2009 at 3:08 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>
> El Domingo, 13 de Septiembre de 2009, Michael Fellinger escribió:
>> On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>> > Hi, usually when a http proxy routes a request it adds a
>> > "X-Forwarded-For: CLIENT_IP" to the request so the web server can know
>> > the client IP of the request.
>> >
>> > In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
>> > X-Forwarded-For header (if present).
>> >
>> > However using Mongrel or Webrick handlers it doesn't occur and
>> > env[REMOTE_ADDR] is set to the http proxy IP.
>> >
>> > Anyhow I don't see it described in Rack specifications so perhaps it's
>> > not mandatory.
>>
>> I think many frameworks actually show X-Forwarded-For instead of
>> REMOTE_ADDR if available via Request#ip, not sure whether overwriting
>> is a good idea, I'm not a fan of losing information.
>
> Yes, I agree. However I just woulud like to point the fact that whil Thin does
> it other don't do it, so Rack env["SERVER_ADDR"] is different depending on the
> used http server.

Overwriting env['REMOTE_ADDR'] with X-Forwarded-For is not a good
idea, because the X-Forwarded-For header can be forged by the client.

  Aman

>
> Regards.
>
>
>
> --
> Iñaki Baz Castillo <ibc@aliax.net>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of  "X-Forwarded-For" header
  2009-09-13 22:14     ` Aman Gupta
@ 2009-09-13 22:44       ` Iñaki Baz Castillo
  0 siblings, 0 replies; 5+ messages in thread
From: Iñaki Baz Castillo @ 2009-09-13 22:44 UTC (permalink / raw)
  To: rack-devel


El Lunes, 14 de Septiembre de 2009, Aman Gupta escribió:

> Overwriting env['REMOTE_ADDR'] with X-Forwarded-For is not a good
> idea, because the X-Forwarded-For header can be forged by the client.

True.

In case of a scenario with http proxy, the proxy must insert that header and 
ensure to delete existing ones (probably spoofed by the client).

But if Thin runs alone (no proxy) and receives a spoofed request with "X-
Forwarded-For" then it will fail when logging SERVER_ADDR. And it can be a 
security risk!


-- 
Iñaki Baz Castillo <ibc@aliax.net>

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2009-09-13 22:44 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-09-13 15:52 Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header Iñaki Baz Castillo
2009-09-13 21:51 ` Michael Fellinger
2009-09-13 22:08   ` Iñaki Baz Castillo
2009-09-13 22:14     ` Aman Gupta
2009-09-13 22:44       ` Iñaki Baz Castillo

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/rack.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).