Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

[Iñaki Baz Castillo]

Hi, usually when a http proxy routes a request it adds a "X-Forwarded-For: 
CLIENT_IP" to the request so the web server can know the client IP of the 
request.

In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
X-Forwarded-For header (if present).

However using Mongrel or Webrick handlers it doesn't occur and 
env[REMOTE_ADDR] is set to the http proxy IP.

Anyhow I don't see it described in Rack specifications so perhaps it's not 
mandatory.

-- 
Iñaki Baz Castillo <ibc@aliax.net>

Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

[Michael Fellinger]

On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>
> Hi, usually when a http proxy routes a request it adds a "X-Forwarded-For:
> CLIENT_IP" to the request so the web server can know the client IP of the
> request.
>
> In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
> X-Forwarded-For header (if present).
>
> However using Mongrel or Webrick handlers it doesn't occur and
> env[REMOTE_ADDR] is set to the http proxy IP.
>
> Anyhow I don't see it described in Rack specifications so perhaps it's not
> mandatory.

I think many frameworks actually show X-Forwarded-For instead of
REMOTE_ADDR if available via Request#ip, not sure whether overwriting
is a good idea, I'm not a fan of losing information.

>
> --
> Iñaki Baz Castillo <ibc@aliax.net>
>

-- 
Michael Fellinger
CTO, The Rubyists, LLC

Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

[Iñaki Baz Castillo]

El Domingo, 13 de Septiembre de 2009, Michael Fellinger escribió:
> On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
> > Hi, usually when a http proxy routes a request it adds a
> > "X-Forwarded-For: CLIENT_IP" to the request so the web server can know
> > the client IP of the request.
> >
> > In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
> > X-Forwarded-For header (if present).
> >
> > However using Mongrel or Webrick handlers it doesn't occur and
> > env[REMOTE_ADDR] is set to the http proxy IP.
> >
> > Anyhow I don't see it described in Rack specifications so perhaps it's
> > not mandatory.
> 
> I think many frameworks actually show X-Forwarded-For instead of
> REMOTE_ADDR if available via Request#ip, not sure whether overwriting
> is a good idea, I'm not a fan of losing information.

Yes, I agree. However I just woulud like to point the fact that whil Thin does 
it other don't do it, so Rack env["SERVER_ADDR"] is different depending on the 
used http server.

Regards.



-- 
Iñaki Baz Castillo <ibc@aliax.net>

Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

[Aman Gupta]

On Sun, Sep 13, 2009 at 3:08 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>
> El Domingo, 13 de Septiembre de 2009, Michael Fellinger escribió:
>> On Sun, Sep 13, 2009 at 5:52 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
>> > Hi, usually when a http proxy routes a request it adds a
>> > "X-Forwarded-For: CLIENT_IP" to the request so the web server can know
>> > the client IP of the request.
>> >
>> > In fact, using Thin handler, env[REMOTE_ADDR] is set to the value of
>> > X-Forwarded-For header (if present).
>> >
>> > However using Mongrel or Webrick handlers it doesn't occur and
>> > env[REMOTE_ADDR] is set to the http proxy IP.
>> >
>> > Anyhow I don't see it described in Rack specifications so perhaps it's
>> > not mandatory.
>>
>> I think many frameworks actually show X-Forwarded-For instead of
>> REMOTE_ADDR if available via Request#ip, not sure whether overwriting
>> is a good idea, I'm not a fan of losing information.
>
> Yes, I agree. However I just woulud like to point the fact that whil Thin does
> it other don't do it, so Rack env["SERVER_ADDR"] is different depending on the
> used http server.

Overwriting env['REMOTE_ADDR'] with X-Forwarded-For is not a good
idea, because the X-Forwarded-For header can be forged by the client.

  Aman

>
> Regards.
>
>
>
> --
> Iñaki Baz Castillo <ibc@aliax.net>
>

Re: Mongrel handler doesn't set env[REMOTE_ADDR] with the value of "X-Forwarded-For" header

[Iñaki Baz Castillo]

El Lunes, 14 de Septiembre de 2009, Aman Gupta escribió:

> Overwriting env['REMOTE_ADDR'] with X-Forwarded-For is not a good
> idea, because the X-Forwarded-For header can be forged by the client.

True.

In case of a scenario with http proxy, the proxy must insert that header and 
ensure to delete existing ones (probably spoofed by the client).

But if Thin runs alone (no proxy) and receives a spoofed request with "X-
Forwarded-For" then it will fail when logging SERVER_ADDR. And it can be a 
security risk!


-- 
Iñaki Baz Castillo <ibc@aliax.net>