[SCM] live-studio branch, master, updated. 47bbabbccf60b66a17cf892768e7376a6394dc53
Chris Lamb
lamby at debian.org
Fri Jul 30 19:56:51 UTC 2010
The following commit has been merged in the master branch:
commit 2daa5b70dee7f15e1896b582fe467734e510541d
Author: Chris Lamb <lamby at debian.org>
Date: Fri Jul 30 15:53:11 2010 -0400
Add SetRemoteAddrFromForwardedFor as we are using a reverse proxy
diff --git a/live_studio/auth/middleware.py b/live_studio/auth/middleware.py
index 9799903..93f668f 100644
--- a/live_studio/auth/middleware.py
+++ b/live_studio/auth/middleware.py
@@ -22,3 +22,27 @@ class RequireLoginMiddleware(object):
return
return HttpResponseRedirect(settings.LOGIN_URL)
+
+class SetRemoteAddrFromForwardedFor(object):
+ """
+ Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
+ latter is set. This is useful if you're sitting behind a reverse proxy that
+ causes each request's REMOTE_ADDR to be set to 127.0.0.1.
+
+ Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
+ a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
+ this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
+ because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
+ anybody can "fake" their IP address. Only use this when you can absolutely
+ trust the value of HTTP_X_FORWARDED_FOR.
+ """
+ def process_request(self, request):
+ try:
+ real_ip = request.META['HTTP_X_FORWARDED_FOR']
+ except KeyError:
+ return None
+ else:
+ # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The
+ # client's IP will be the first one.
+ real_ip = real_ip.split(",")[0].strip()
+ request.META['REMOTE_ADDR'] = real_ip
diff --git a/live_studio/settings/defaults/middleware.py b/live_studio/settings/defaults/middleware.py
index 7eefc49..2a13a6d 100644
--- a/live_studio/settings/defaults/middleware.py
+++ b/live_studio/settings/defaults/middleware.py
@@ -1,9 +1,9 @@
MIDDLEWARE_CLASSES = [
+ 'live_studio.auth.middleware.SetRemoteAddrFromForwardedFor',
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
-
'live_studio.auth.middleware.RequireLoginMiddleware',
'django.middleware.transaction.TransactionMiddleware',
]
--
live-studio
More information about the debian-live-changes
mailing list