Skip to content

Commit 8f065bb

Browse files
adrianholovatyadrianholovaty
committed
Fixed django#2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman
git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37
1 parent efa19ae commit 8f065bb

File tree

2 files changed

+41
-1
lines changed

2 files changed

+41
-1
lines changed

django/middleware/http.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,3 +35,27 @@ def process_response(self, request, response):
3535
response.content = ''
3636

3737
return response
38+
39+
class SetRemoteAddrFromForwardedFor(object):
40+
"""
41+
Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
42+
latter is set. This is useful if you're sitting behind a reverse proxy that
43+
causes each request's REMOTE_ADDR to be set to 127.0.0.1.
44+
45+
Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
46+
a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
47+
this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
48+
because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
49+
anybody can "fake" their IP address. Only use this when you can absolutely
50+
trust the value of HTTP_X_FORWARDED_FOR.
51+
"""
52+
def process_request(self, request):
53+
try:
54+
real_ip = request.META['HTTP_X_FORWARDED_FOR']
55+
except KeyError:
56+
return None
57+
else:
58+
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
59+
# Take just the first one.
60+
real_ip = real_ip.split(",")[0]
61+
request.META['REMOTE_ADDR'] = real_ip

docs/middleware.txt

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ Adds a few conveniences for perfectionists:
6363
last component in the path contains a period. So ``foo.com/bar`` is
6464
redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
6565
through unchanged.
66-
66+
6767
If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
6868
redirected to the same URL with a leading "www."
6969

@@ -101,6 +101,22 @@ Handles conditional GET operations. If the response has a ``ETag`` or
101101
Also removes the content from any response to a HEAD request and sets the
102102
``Date`` and ``Content-Length`` response-headers.
103103

104+
django.middleware.http.SetRemoteAddrFromForwardedFor
105+
----------------------------------------------------
106+
107+
**New in Django development version**
108+
109+
Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``,
110+
if the latter is set. This is useful if you're sitting behind a reverse proxy
111+
that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``.
112+
113+
**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
114+
not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
115+
not use this middleware. Anybody can spoof the value of
116+
``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
117+
``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
118+
use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
119+
104120
django.contrib.sessions.middleware.SessionMiddleware
105121
----------------------------------------------------
106122

0 commit comments

Comments
 (0)