Closed Jollyfant closed 3 years ago
Or maybe the user IP address is at index 0. I'm not sure 🤷♂️
Hi, isn't x-forwarded-for a header that should be added by the proxy itself? otherwise if sb. is using the federator without proxy, it is looking as having forwarded the message to itself, and if it is run behind a NAT, the header would contain the wrong (local) address...
@Jollyfant,
When performing PR I'd prefer merging back into next
. I'm planning to use the git-flow branching model which should make it much easier to keep the history clean. Especially when working collaboratively.
Though, I should fix this fact within some still to be done contribution guidelines ...
isn't x-forwarded-for a header that should be added by the proxy itself? otherwise if sb. is using the federator without proxy, it is looking as having forwarded the message to itself, and if it is run behind a NAT, the header would contain the wrong (local) address...
Hmm.. using request.access_route
I think it always includes any previous proxy IPs including itself so that should be fine. But the Federator must pass the information to the endpoints through this header in any case right?
When performing PR I'd prefer merging back into next. I'm planning to use the git-flow branching model which should make it much easier to keep the history clean. Especially when working collaboratively.
Yeah sorry good point.
I am not sure whether i have got your point.
my understanding: request.remote_addr does not return header content, but the address of the other end of the tcp connection. request.access_route returns: [any x-accessed-for header], request.remote_addr()
Thus: if a request is travelling client -> proxy -> federator, and the response federator -> proxy -> server, and if we are looking at the response:
I'm a little confused too about the discussion. The point is that the X-Forwarded-For header is not for the client. If it for the EIDA node that the Federator makes the request to so that their logging shows the original client, and not just the Federator IP.
Client -> Proxy -> Federator -> Endpoint
If the Proxy and Federator both respect the X-Forwared-For the result should be that the original client IP should be passed to the endpoint.
Ok. i got it. it is kind of cheating as, in most cases, the request coming from the federator to the end point is different from the one coming from the client to the federator. but it is probably a quite pragmatic idea...
Maybe something like this? The
request.access_route
returns a list of all the IP addresses and proxies in between with the last one being the original address. Since our Federator is behind a proxy it was just showing our own IP when I usedrequest.remote_addr
.