-
-
Notifications
You must be signed in to change notification settings - Fork 513
X-Forwarded-For can contain multiple IP addresses #352
Conversation
Coverage decreased (-0.08%) when pulling 94fc9304c5217210c06db631b51603a8fd57a507 on fuhrysteve:develop into c7d0ea9 on mattupstate:develop. |
Coverage increased (+0.01%) when pulling aadfe70b9f7637268b4f12ec18cbd42840e22249 on fuhrysteve:develop into c7d0ea9 on mattupstate:develop. |
Coverage increased (+0.01%) when pulling ab47fe21cab542a931ba061c28024e398cec18cf on fuhrysteve:develop into c7d0ea9 on mattupstate:develop. |
Coverage remained the same when pulling a140996eb093998f2830a43ce4eaff3ac69d0ec4 on fuhrysteve:develop into c7d0ea9 on mattupstate:develop. |
Coverage remained the same when pulling a140996eb093998f2830a43ce4eaff3ac69d0ec4 on fuhrysteve:develop into c7d0ea9 on mattupstate:develop. |
From the nginx docs: http://nginx.org/en/docs/http/ngx_http_proxy_module.html > $proxy_add_x_forwarded_for > the “X-Forwarded-For” client request header field with the $remote_addr > variable appended to it, separated by a comma. If the “X-Forwarded-For” > field is not present in the client request header, the > $proxy_add_x_forwarded_for variable is equal to the $remote_addr > variable. Use the last IP address in X-Forwarded-For. For this to work properly behind a trusted proxy, you must be using ProxyFix as described in the flask & werkzeug documentation.
I did a little more research on this and discovered that there are some issues with simply choosing the first address in There is also a potential issue when using the last address on the list if you are using a trusted proxy server to proxy web requests. The recommended solution in the See: I've rebased my commits and cleaned up the original post for clarity. |
Good stuff. Thanks!. |
X-Forwarded-For can contain multiple IP addresses
We should be using whatever the last IP in
X-Forwarded-For
is. Note that in order for this to work properly behind a trusted proxy (i.e. if you are using nginx / similar to forward togunicorn
/ similar, as is common), you must useProxyFix
as described in thewerkzeug
andflask
documentation. I've added a note to the docs forSECURITY_TRACKABLE
to point that out, since it's probably not obvious. Perhaps a note should be added elsewhere too? Not sure.From the nginx docs: http://nginx.org/en/docs/http/ngx_http_proxy_module.html
Here's a stack trace illustrating the issue I was having while using ProxyFix behind a proxy, which in this case was
127.0.0.1
. The client's actual IP address in this case should be189.254.205.210
(a Mexican IP address - the client was actually in Mexico at the time), though they were being proxied by an ec2 host at172.21.5.123
(some indent added for clarity):