Document why REMOTE_ADD may not be the user's IP address #1037

Merged
merged 1 commit into from May 22, 2015

Projects

None yet

4 participants

@Starefossen
Contributor

This PR updates the Gunicorn deploy documentation on why REMOTE_ADDR may not always be the IP address of the user.

Close: #1035
Related: #633

Signed-off-by: Hans Kristian Flaatten hans.kristian.flaatten@turistforeningen.no

@Starefossen Starefossen added a commit to Starefossen/gunicorn that referenced this pull request May 21, 2015
@Starefossen Starefossen Document why `REMOTE_ADD` may not be the user's IP
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client.  This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.

Close: #1035
PR-URL: #1037
Related: #633

Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
8e6b5dc
@Starefossen Starefossen changed the title from Document why `REMOTE_ADD` may not be the user's IP to Document why REMOTE_ADD may not be the user's IP address May 21, 2015
@berkerpeksag
Collaborator

LGTM

@Starefossen
Contributor

Maybe also add that REMOTE_ADDR will be empty if you bind Gunicorn to a unix socket as well?

@benoitc
Owner
benoitc commented May 21, 2015

@Starefossen good idea :)

@Starefossen Starefossen added a commit to Starefossen/gunicorn that referenced this pull request May 21, 2015
@Starefossen Starefossen Document why `REMOTE_ADD` may not be the user's IP
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client.  This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.

Close: #1035
PR-URL: #1037
Related: #633

Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
e0aad07
@Starefossen
Contributor

Ok, I have now amended a paragraph to my original commit.

@tilgovi tilgovi and 1 other commented on an outdated diff May 21, 2015
docs/source/deploy.rst
@@ -111,6 +111,21 @@ Gunicorn may come from untrusted proxies or directly from clients since the
application may be tricked into serving SSL-only content over an insecure
connection.
+Gunicorn v19 introduced a breaking change concerning how ``REMOTE_ADDR`` is
+handled. Previous to Gunicorn v19 this was set to the value of
+``X-Forwarded-For`` if recieved from a trusted proxy. However, this was not in
+compliance with `RFC 3875 CGI Version 1.1 <http://www.ietf.org/rfc/rfc3875>`_
+which is why the ``REMOTE_ADDR`` is now the IP address of **the proxy** and
+**not the actual user**. You should instead configure Nginx to send the user's
+IP address through the ``X-Forwarded-For`` header like this::
+
+ ...
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ ...
+
+It is also worth noticing that the ``REMOTE_ADDR`` will be completely empty if
@tilgovi
tilgovi May 21, 2015 Collaborator

"worth noting" would be the typical phrase, I think.

@Starefossen
Starefossen May 21, 2015 Contributor

Agreed, and fixed!

@Starefossen Starefossen added a commit to Starefossen/gunicorn that referenced this pull request May 21, 2015
@Starefossen Starefossen Document why `REMOTE_ADD` may not be the user's IP
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client.  This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.

Close: #1035
PR-URL: #1037
Related: #633

Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
7b6f8a2
@benoitc benoitc and 1 other commented on an outdated diff May 21, 2015
docs/source/deploy.rst
@@ -111,6 +111,21 @@ Gunicorn may come from untrusted proxies or directly from clients since the
application may be tricked into serving SSL-only content over an insecure
connection.
+Gunicorn v19 introduced a breaking change concerning how ``REMOTE_ADDR`` is
+handled. Previous to Gunicorn v19 this was set to the value of
+``X-Forwarded-For`` if recieved from a trusted proxy. However, this was not in
+compliance with `RFC 3875 CGI Version 1.1 <http://www.ietf.org/rfc/rfc3875>`_
+which is why the ``REMOTE_ADDR`` is now the IP address of **the proxy** and
+**not the actual user**. You should instead configure Nginx to send the user's
+IP address through the ``X-Forwarded-For`` header like this::
+
+ ...
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ ...
+
+It is also worth noting that the ``REMOTE_ADDR`` will be completely empty if you
+bind Gunicorn to a unix socket and not a tcp host:port touple.
@benoitc
benoitc May 21, 2015 Owner

one last typo :) s/touple/tuple

@Starefossen
Starefossen May 21, 2015 Contributor

That's what you get for not running spell check before pushing 😝 Fixed now.

@tilgovi
Collaborator
tilgovi commented May 21, 2015

I love documentation PRs!!! :) :)

@berkerpeksag
Collaborator

@tilgovi +1 :)

@benoitc
Owner
benoitc commented May 21, 2015
@Starefossen Starefossen Document why `REMOTE_ADD` may not be the user's IP
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client.  This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.

Close: #1035
PR-URL: #1037
Related: #633

Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
85d857d
@Starefossen
Contributor

I'm just happy to be of any help. Thank you for making Gunicorn ❤️

@berkerpeksag berkerpeksag merged commit e6cf15c into benoitc:master May 22, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@berkerpeksag
Collaborator

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment