[hunchentoot-devel] real-remote-addr and proxy chains
Edi Weitz
edi at agharta.de
Sun Nov 5 20:18:42 UTC 2006
On Thu, 02 Nov 2006 11:15:56 -0700, "Robert J. Macomber" <tbnl at rojoma.com> wrote:
> The real-remote-addr function currently returns the value of the
> x-forwarded-for header if it's set, or remote-addr if it's not. In
> the case of chains of proxies, this gives unexpected results as each
> proxy appends the address it's proxying for onto the end of the
> list.
>
> Since I imagine this function is intended to be used in situations
> where Hunchentoot is sitting behind proxies of its own, I've written
> a function to split things up to give a particular entry in this
> chain. Most of the time, I imagine you'd just want the address
> added by the closest proxy but if (for example) you're behind
> mod_proxy behind squid, this function can tell you the address of
> the agent that hit the squid server.
Hmm, I see the problem, but that actually wasn't the only situation
this was written for. I also imagined proxies I wouldn't have control
of like those used by, say, AOL customers. To be honest, I didn't
even know that chained proxies will add to the XFF header instead of
just replacing it. Is this behaviour specified somewhere?
Anyway, I was thinking that maybe a better API would look like this:
1. If there is no XFF header, return REMOTE-ADDR as it is now.
2. If there is a XFF header, return two values - the second one is a
list of all IP addresses in the header, the first one is the last
element of this list.
How about that?
Cheers,
Edi.
More information about the Tbnl-devel
mailing list