[hunchentoot-devel] real-remote-addr and proxy chains

Toby tobia.conforto at linux.it
Sun Nov 5 22:20:06 UTC 2006


Edi Weitz wrote:
> Er, if the proxies add to the end of the list (which I didn't take
> into account), it'd be better to return the first and not the last
> element of the list, right?

I've made a few tests with open proxies on the net.

Most, if not all, add to the end of the list, instead of replacing it.

Some don't bother to append/replace the list with the client address 
(I guess they would be called "anonymous") and some even append
127.0.0.1 or other internal addresses at the end, for whatever reason.

In any case, seeing as a X-Forwarded-For header is quite easy to forge,
trusting the first element of the list doesn't make much sense.

I guess the only real use would be getting the n-th to the last item, to
trim away n known (and trusted) proxies and get to the real client
address, as seen by the proxy + lisp image server setup.


Toby



More information about the Tbnl-devel mailing list