-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not override REMOTE_ADDR with X-Fowarded-For #633
Conversation
From rfc 3875 The REMOTE_ADDR variable MUST be set to the network address of the client sending the request to the server.
You can actually disable this behaviour by setting the Anyway the old Web CGI interface spec [1] is more explicit than the final spec:
where the final spec [2] says:
It is not clear in the final spec if the client is the proxy or not. Anyway if other wsgi server are doing the first one, we should fix it in gunicorn. I'm reluctant to remove all that useful code though :) so maybe we could add another environ I dunno. Feedback is welcome. [1] http://ken.coar.org/cgi/draft-coar-cgi-v11-03.txt |
@davisp @tilgovi @kennethreitz @sirkonst any feedback? |
The patch is OK for the case where the socket is a TCP socket but what information should we set when this is a UNIX socket? In that case the address is always the socket path and the port is empty. Any idea? Same problem somehow with #628 . |
Add an option to force the remote addr with the X-Forwarded-For header Fix the usage when bound to a unix socket instead of an TCP one.
When using a Unix socket:
|
cli = ["--override-remote-addr"] | ||
validator = validate_bool | ||
action = "store_true" | ||
default = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should not this option be True by default for downward compatibility?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question , the code is here since a long time....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am ok with that too, how do you wan't to call that option in that case ?
I'm finally in favour of introducing the following breaking change like the initial patch suggested:
To facilitate the transition we could propose some code to get the forwarded IP in the doc. Thoughts? |
@benoitc This breaks the usefulness of gunicorn's access log! The remote_addr is always the proxy IP. What do you think is the correct way to handle this? Do you think it would be possible to add a symbol for "forwarded ip" in log formats? |
I think |
I can see why this was changed, but I think it should be mentioned better in the docs, and a suggested workaround should maybe also be mentioned. |
@Starefossen +1, can you open an issue for that? Would help to track it :) |
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of the `X-Forwared-For` header if received from a trusted upstream client. This was a violation of RFC 3875 CGI Version 1.1, and was hence removed. Close: benoitc#1035 PR-URL: benoitc#1037 Related: benoitc#633 Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of the `X-Forwared-For` header if received from a trusted upstream client. This was a violation of RFC 3875 CGI Version 1.1, and was hence removed. Close: benoitc#1035 PR-URL: benoitc#1037 Related: benoitc#633 Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of the `X-Forwared-For` header if received from a trusted upstream client. This was a violation of RFC 3875 CGI Version 1.1, and was hence removed. Close: benoitc#1035 PR-URL: benoitc#1037 Related: benoitc#633 Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of the `X-Forwared-For` header if received from a trusted upstream client. This was a violation of RFC 3875 CGI Version 1.1, and was hence removed. Close: benoitc#1035 PR-URL: benoitc#1037 Related: benoitc#633 Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
From rfc 3875
The REMOTE_ADDR variable MUST be set to the network address of the
client sending the request to the server.
For exemple
WSGI app
def application(environ, start_response):
start_response('200 OK', [('Content-Type','text/html')])
ret = []
for k, v in environ.items():
if k not in ('REMOTE_ADDR', 'HTTP_X_FORWARDED_FOR'):
continue
ret.append('{0}={1}\n'.format(k, v))
return ret
Client
import requests
response = requests.get('http://localhost:5000',
headers={'X-Forwarded-For': '1.2.3.4'})
print response.text
Running server and client:
python client.py
REMOTE_ADDR=127.0.0.1
HTTP_X_FORWARDED_FOR=1.2.3.4
Before that patch, using gunicorn, it is impossible to get the proxy address inside the WSGi application.
Every other tested WSGI Server (mod_wsgi and uwsgi), it works.
Gunicorn should works too.