[Catalyst-dev] Re: Catalyst::Engine::Apache X-Forwarded-* Handling

[Andy Grundman]

On May 23, 2007, at 8:49 PM, A. Pagaltzis wrote:

> * John Shields <johnmshields at gmail.com> [2007-05-24 02:10]:
>> My position with this patch is that the IP returned by
>> $c->req->address should be the closest thing to the browser IP
>> as possible.
>
> Sensible.

No, you don't want to see 192.168.1.1, you want the real address the  
user came from.

>
>> Due to possible spoofing, there is no definitive way to
>> determine that the header is valid (as far as I can tell). So
>> my thinking is that Apache.pm should assume that the
>> "X-Forwarded-For" header is valid.
>
> Not sensible. This **MUST** be optional and off by default, or
> else it’s a hole in the Catalyst default config.

This is how it works today, it's only on by default if the proxy is  
located at 127.0.0.1 in a standard front/back proxy setup on a single  
box.  Anything else must be explicitly enabled by setting  
using_frontend_proxy.