[Catalyst-dev] Re: Catalyst::Engine::Apache X-Forwarded-* Handling

A. Pagaltzis pagaltzis at gmx.de
Thu May 24 01:49:58 GMT 2007 

* John Shields <johnmshields at gmail.com> [2007-05-24 02:10]:
> My position with this patch is that the IP returned by
> $c->req->address should be the closest thing to the browser IP
> as possible.

Sensible.

> Due to possible spoofing, there is no definitive way to
> determine that the header is valid (as far as I can tell). So
> my thinking is that Apache.pm should assume that the
> "X-Forwarded-For" header is valid.

Not sensible. This **MUST** be optional and off by default, or
else it’s a hole in the Catalyst default config.

> I think that Apache.pm either needs to assume that the
> "X-Forwarded-For" header is valid or have some more
> configuration options to allow you to control the IP selection
> from the list. This configuration could be similar to the
> "mod_extract_forwarded". But again, I think this can (should)
> be handled at the proxy configuration level rather than at the
> Catalyst code level.

Not everyone has control of their proxy. The app I mainly work on
runs in a University data centre. I have a lot of say in what
goes on our server but none whatsoever about the network
structure at large, and proxy issues caught me out more than
once. So it would be nice if Catalyst was accomodating of various
scenarios here.

My proposal would be for an option that can have one of the
following values:

1. An IP address.
2. An array of trusted IP addresses.
3. The string `trusted`.
4. Anything else.

If it’s an IP, then Catalyst checks the request to see if it’s
the same as the REMOTE_HOST, in which case it takes the *last*
address from X-Forwarded-For and returns that from $req->address.

If it’s an array, then REMOTE_HOST is check to see if it matches
*any* of them, and after replacing the value with the last
address from X-Forwarded-For, the process repeats. (So by passing
a list, you can fold up the path through several trusted proxies.)

If it’s the string `trusted`, Catalyst blindly takes the first
entry from the header. It is assumed that your proxy setup will
make sure that everything is orderly.

If it’s anything else, nothing happens.

Should performance be an issue, the chosen algorithm could be
compiled to a closure at startup.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

More information about the Catalyst-dev mailing list