/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-09 / X-Forwarded-For unknown?

[ << ] [ >> ]

[ with iAnywhere ? / john.underwood(at)gmrworks.com ] [ Zope + Pound +SSL + Zope ExternalEditor (WebDAV) ... ]

X-Forwarded-For unknown?
Sascha Ottolski <sascha.ottolski(at)gallileus.de>		 2004-09-08 15:37:19 [ FULL ] 
Hi,

I'm kind of confused about the forwarded-for headers. I assumed that 
they would be garantueed to include the IP of the next host pound is 
talking to, maybe in addition to a list of other IPs that were added by 
proxies on the way.

However, we often see things like this on our backends:

HTTP_X_FORWARDED_FOR 200.217.44.204, unknown
or even
HTTP_X_FORWARDED_FOR unknown

That way, theres no information left for the backend to know where the 
request came from. Is there a way to change this behaviour? Obviously, 
pound writes the IP its on log, so I can't see why this information 
couldn't be passed along.

BTW, if the request already has a X-Forwarded-For header, at which 
position would pound add its own, as first or last?

Or am I looking somewhere totally wrong, may be our zope (2.7) backends 
are messing around with the headers? Couldn't find a hint in the 
sources, though.


Thanks for any insight,

Sascha
[...]
Re: X-Forwarded-For unknown?
Sascha Ottolski <sascha.ottolski(at)gallileus.de>		 2004-09-08 16:05:16 [ FULL ] 
Am Mittwoch, 8. September 2004 15:37 schrieb Sascha Ottolski:[...]
I _might_ found a hint myself. I just did a quick test with tcpwatch in 
between, and a squid between my browser and pound. With this setup, I 
see two X-Forwarded-For headers:

X-Forwarded-For: 192.168.0.98
Host: somehost.com:80
Cache-Control: max-age=259200
Connection: keep-alive
X-Forwarded-For: 217.231.xxx.xxx

Shouldn't pound add its header to the existing one, so only one

X-Forwarded-For: 192.168.0.98, 217.231.xxx.xxx

(or the other way round, don't know which way is correct 
X-Forwarded-For: 217.231.xxx.xxx, 192.168.0.98

exists?


Thanks, Sascha
[...]
Re: X-Forwarded-For unknown?
Robert Segall <roseg(at)apsis.ch>		 2004-09-08 16:05:47 [ FULL ] 
On Wednesday 08 September 2004 15.37, Sascha Ottolski wrote:[...]

Pound adds its own X-Forwarded-for header as last. Additional headers may 
already be there from preceding proxies - which is allowed by the HTTP RFC's.

I suggest you dump the REQUEST in Zope (or use tcpwatch between Pound and 
Zope) to see exactly what headers are there. I can't really imagine that 
Pound would give you an "unknown" address, especially if the correct 
addresses appear in the logs (they are obtained in exactly the same way).[...]
Re: X-Forwarded-For unknown?
Sascha Ottolski <sascha.ottolski(at)gallileus.de>		 2004-09-08 16:37:22 [ FULL ] 
[sorry Robert, was meant for the list, of course]

Am Mittwoch, 8. September 2004 16:05 schrieben Sie:[...]

I see, thanks for the info. However, after a bit reading around it seems 
as if X-Forwarded-For itself is not covered by RFC, so there seem to be 
no strict rules. But anywhere it is mentioned there is only one header 
per request, which carries a list of proxies, where new values are 
appended as last element to possibly existing ones.

On http://www.openinfo.co.uk/apache/
I read:

"If a request has passed through multiple proxies then the 
X-Forwarded-For may contain several IPs like this:

X-Forwarded-For: client1, proxy1, proxy2"

At least zope is expecting the same. May be it could be a good idea to 
let pound behave in the way?


Thanks, Sascha
[...]
Re: X-Forwarded-For unknown?
Robert Segall <roseg(at)apsis.ch>		 2004-09-08 18:43:49 [ FULL ] 
On Wednesday 08 September 2004 16.37, Sascha Ottolski wrote:[...]

Maybe, but it would involve quite a few complications (recognising and 
changing headers instead of adding a new one). Based on the RFC's I don't 
believe it to be necessary. To quote from RFC2616 (HTTP 1.1):

Multiple message-header fields with the same field-name MAY be present in a 
message if and only if the entire field-value for that header field is 
defined as a comma-separated list [i.e., #(values)]. It MUST be possible to 
combine the multiple header fields into one "field-name: field-value" pair, 
without changing the semantics of the message, by appending each subsequent 
field-value to the first, each separated by a comma. The order in which 
header fields with the same field-name are received is therefore significant 
to the interpretation of the combined field value, and thus a proxy MUST NOT 
change the order of these field values when a message is forwarded.

I take this to mean that having multiple headers with the same name is allowed 
and exactly equivalent to having a single such header with a comma-separated 
value list. Thus having

...
X-Forwarded-for: client1, proxy1
...
X-Forwarded-for: proxy2                <-- added by Pound
...

should mean exactly the same as

...
X-Forwarded-for: client1, proxy1, proxy2
...

It is true that X-Forwarded-for is not defined in the standard (or any other 
X-anything header for that matter), but they should obey the same syntax as 
all other headers. Appending such a final header to the other headers from 
the request is permissible, based on the above.

I have not looked too closely at how exactly Zope deals with such multiple 
headers, but (at least in my opinion) if it does anything else one should 
file a bug report with Zope about it.[...]
Re: X-Forwarded-For unknown?
Sascha Ottolski <sascha.ottolski(at)gallileus.de>		 2004-09-10 11:30:54 [ FULL ] 
Am Mittwoch, 8. September 2004 18:43 schrieben Sie:[...]


Robert,

your absolutely right. In case others find this a problem too: I just 
found out someone already filed the bug along with a solution:

http://zope.org/Collectors/Zope/908


Greets,

Sascha
MailBoxer