mirror of https://github.com/zulip/zulip.git
07779ea879
The `X-Forwarded-For` header is a list of proxies' IP addresses; each proxy appends the remote address of the host it received its request from to the list, as it passes the request down. A naïve parsing, as SetRemoteAddrFromForwardedFor did, would thus interpret the first address in the list as the client's IP. However, clients can pass in arbitrary `X-Forwarded-For` headers, which would allow them to spoof their IP address. `nginx`'s behavior is to treat the addresses as untrusted unless they match an allowlist of known proxies. By setting `real_ip_recursive on`, it also allows this behavior to be applied repeatedly, moving from right to left down the `X-Forwarded-For` list, stopping at the right-most that is untrusted. Rather than re-implement this logic in Django, pass the first untrusted value that `nginx` computer down into Django via `X-Real-Ip` header. This allows consistent IP addresses in logs between `nginx` and Django. Proxied calls into Tornado (which don't use UWSGI) already passed this header, as Tornado logging respects it. |
||
|---|---|---|
| .. | ||
| jinja2 | ||
| __init__.py | ||
| backends.py | ||
| computed_settings.py | ||
| config.py | ||
| configured_settings.py | ||
| default_settings.py | ||
| dev_settings.py | ||
| dev_urls.py | ||
| email_backends.py | ||
| legacy_urls.py | ||
| prod_settings_template.py | ||
| sentry.py | ||
| settings.py | ||
| terms.md.template | ||
| test_extra_settings.py | ||
| test_settings.py | ||
| urls.py | ||
| wsgi.py | ||