[Box-Admins] Re: I need Help (was Re: Squeak Wiki Problem)
Jochen F. Rick
nadja at cc.gatech.edu
Wed Jan 31 21:36:27 UTC 2007
Well. I guess the real point is whether you trust the apache server that
is doing the forward. If you do, then the x-forwarded-for header should
be in good condition.
Peace and Luck!
Jeff
On Wed, Jan 31, 2007 at 02:50:13PM -0600, Ken Causey wrote:
> Thank you, I believe that does fix the immediate problem. I will notify
> squeak-dev and request confirmation from those that had trouble.
>
> One comment however. This still assumes that the x-forwarded-for
> header, if it exists, is non-pathological. Should you not confirm that
> you get something that is truly IP-address-like and if not ignore the
> header?
>
> But perhaps I'm asking too much. What are the chances that a valid
> browsing user is going to have a pathological x-forwarded-for header.
> Perhaps too small to be of interest.
>
> In any case, thanks!
>
> Ken
>
> On Tue, 2007-01-30 at 16:05 -0500, Jochen F. Rick wrote:
> > Hi Ken,
> >
> > I was finally able to get somebody to help me check this. I have a fix.
> > I'm attaching it.
> >
> > Peace and Luck!
> >
> > Jeff
> >
> >
> > On Thu, Jan 18, 2007 at 05:51:10PM -0600, Ken Causey wrote:
> > > Here is what I have found:
> > >
> > > "If a request has passed through multiple proxies then the
> > > X-Forwarded-For may contain several IPs like this:
> > >
> > > X-Forwarded-For: client1, proxy1, proxy2"
> > >
> > > http://www.openinfo.co.uk/apache/index.html
> > >
> > > And this appears to be true for the one example I have seen. So
> > > fundamentally I think you simply need to look the first quad and ignore
> > > the rest. At the same time, if it is non-blank, but you can't extract
> > > the host address, you probably should treat it as if the x-forwarded-for
> > > header is simply non-existent.
> > >
> > > Ken
> > >
> > > On Thu, 2007-01-18 at 18:13 -0500, Jochen F. Rick wrote:
> > > > Interesting. Why would it have two x-forwarded-for addresses? In other
> > > > words, what is the meaning of the other address? Which address should be
> > > > used?
> > > >
> > > > Peace and Luck!
> > > >
> > > > Jeff
> > > >
> > > >
> > > >
> > > > On Thu, Jan 18, 2007 at 04:16:45PM -0600, Ken Causey wrote:
> > > > > I have been debugging the reported problems accessing the
> > > > > wiki.squeak.org wiki for those behind a proxy. I have tracked it down
> > > > > to the implementation of HttpRequest>>initProxyForwarding in the image.
> > > > > It assumes that if an x-forwarded for header exists that it is a single
> > > > > IP address. This appears to be a poor assumption. For example:
> > > > >
> > > > > x-forwarded-for: 74.141.6.178, 62.90.138.162
> > > > >
> > > > > I have not so far been able to track down documentation to confirm
> > > > > whether or not this is 'officially' valid. Nonetheless Swiki should
> > > > > probably not fail when this assumption is invalid.
> > > > >
> > > > > Ken
> > > >
> > > >
> > > >
> >
> >
> >
--
Jochen "Jeff" Rick, PhD Candidate, Georgia Tech College of Computing
jochen.rick at cc.gatech.edu, http://www.je77.com/, work: 404-385-1105
More information about the Box-Admins
mailing list