alfonsodg / demo-web2py

Apache License 2.0
0 stars 0 forks source link

client ip in httpserver.log #48

Closed alfonsodg closed 10 years ago

alfonsodg commented 10 years ago

From sherdim on August 12, 2009 06:41:46

web2py has special procedure to reveal original client ip for identification it is set in request.client with function get_client()

but in httpserver.log only plain remote_addr is logged. For deployment scheme with proxy from the main web-server to WSGI on the same machine IP address is the same for ALL requests! What is the expected output? What do you see instead? Output from the sophisticated get_client() is expected! What version of the product are you using? On what operating system? 1.65, windows not-binary, from sources

Thanks, Dmitry

Original issue: http://code.google.com/p/web2py/issues/detail?id=49

alfonsodg commented 10 years ago

From massimod...@gmail.com on August 13, 2009 08:29:35

You are correct but here is the problem: request.client stores http_x_forwarded_for is present and this can be spoofed. So if web2py is not behind a proxy, the current solution is fine. If web2py is behind a proxy, one should use the proxy logs. In this way none of them can be spoofed.

Status: WontFix

alfonsodg commented 10 years ago

From sherdim on August 13, 2009 09:16:41

OK, proxy logs are the best for such deployment. I have just been disappointed with LogAnal appliance. You should stress in docs that such tool is restricted in proxy environment

And anyway, can you say will be success if I change myself string #249: environ['REMOTE_ADDR'], in appfactory (main.py)?

Is an app really slower if logging is on? How to switch it off?

I will search group and repost these questions there.