[Catalyst] X-Forwarded-For
Andy Grundman
andy at hybridized.org
Wed Apr 2 04:38:15 BST 2008
On Apr 1, 2008, at 11:17 PM, Bill Moseley wrote:
> C::Engine::Apache does this:
>
> # If we are running as a backend server, the user will always
> appear
> # as 127.0.0.1. Select the most recent upstream IP (last in the
> list)
> my ($ip) = $headers->{'X-Forwarded-For'} =~ /([^,\s]+)$/;
> $c->request->address( $ip );
>
> Why the "most recent"? If there's two proxies then that address is
> our top proxy.
>
> Don't we want $c->req->address to be the client's IP?
>
> For example, I'm seeing this header:
>
> X-Forwarded-For: 192.168.51.158, 10.1.6.1
>
> So C::Engine::Apache is setting $c->req->address to 10.1.6.1.
>
> The first IP in X-Forwarded-For is the client IP.
>
> Shouldn't C::Apache::Engine use the first address?
When using X-Forwarded-For you cannot trust any value that is not
added by your own upstream proxy, so we only want to use the last
value in the list.
-Andy
More information about the Catalyst
mailing list