From d653b5d8204e130684ef63774b9005bc6c8aeb6b Mon Sep 17 00:00:00 2001 From: Nick Sweeting Date: Tue, 14 Mar 2017 22:38:04 -0400 Subject: [PATCH 1/2] Update docs to hint about setting IP issues behind proxy --- docs/installation.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/installation.rst b/docs/installation.rst index 2e41adb..d508de5 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -21,3 +21,16 @@ documentation on `installing GeoIP`_. .. _installing GeoIP: https://docs.djangoproject.com/en/1.6/ref/contrib/gis/geoip/ + +IP Data Accuracy +---------------- +If you're running Django behind a proxy like nginx, you will have to set +the `REMOTE_ADDR` META header manually using a middleware, to stop it from +always returning the ip of the proxy (e.g. 127.0.0.1 in many cases). + +An example middleware to fix this issue is https://github.com/allo-/django-xforwardedfor-middleware +Which simply does this for each request: + +``request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(',')[0].strip()`` + +Your particular configuration may vary, X-Forwarded-For is not always accurate in some cases. From 2684906c0e99f71b53eb8505bd8565b28e4a1c72 Mon Sep 17 00:00:00 2001 From: Bouke Haarsma Date: Wed, 15 Mar 2017 07:48:48 +0100 Subject: [PATCH 2/2] Warn about client IP spoofing --- docs/installation.rst | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/installation.rst b/docs/installation.rst index d508de5..9c79739 100644 --- a/docs/installation.rst +++ b/docs/installation.rst @@ -22,8 +22,8 @@ documentation on `installing GeoIP`_. .. _installing GeoIP: https://docs.djangoproject.com/en/1.6/ref/contrib/gis/geoip/ -IP Data Accuracy ----------------- +IP when behind a proxy +---------------------- If you're running Django behind a proxy like nginx, you will have to set the `REMOTE_ADDR` META header manually using a middleware, to stop it from always returning the ip of the proxy (e.g. 127.0.0.1 in many cases). @@ -33,4 +33,6 @@ Which simply does this for each request: ``request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(',')[0].strip()`` -Your particular configuration may vary, X-Forwarded-For is not always accurate in some cases. +Your particular configuration may vary, `X-Forwarded-For` must be set by +a proxy that you have control over, otherwise it might be spoofed by the +client.