|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2007
/
2007-09
/
X-Forwarded-for header behaviour
[
"X-Forwarded-for" header / Alex Hunsley ... ]
[
possible minor pug in pound/poundctl / Alex ... ]
X-Forwarded-for header behaviour
Alex Hunsley <alex.hunsley(at)blueyonder.co.uk> |
2007-09-27 11:27:08 |
[ FULL ]
|
I've just confirmed that Pound's behaviour regarding the X-Forwarded-for
header appears to be incorrect.
According to the page http://en.wikipedia.org/wiki/X-Forwarded-For,
successive IP addresses should be appended to the one header, e.g.:
X-Forwarded-for: 1.2.3.4, 5.6.7.8, 9.10.11.12
whereas pound is doing this:
X-Forwarded-for: 1.2.3.4
X-Forwarded-for: 5.6.7.8
X-Forwarded-for: 9.10.11.12
I'm not actually even sure if repeating a header is 'allowed' in itself
according to the standards....
Am looking at the code, if I manage to make a patch, I'll send it here.
lex
|
|
|
Re: X-Forwarded-for header behaviour
Alex Hunsley <alex.hunsley(at)blueyonder.co.uk> |
2007-09-27 15:12:51 |
[ FULL ]
|
Alex Hunsley wrote:[...]
Ok, I've fixed the X-Forwarded-For behaviour to act in the usual way as
detailed above (in Pound source for 2.3.2). I've packet sniffed the
traffic to check the behaviour and it seems to be working ok.
I've attached the patch compiled with linux 'diff' in the usual way,
maybe someone else would like it too.
(The horizontal whitespace is now slightly out for some reason in the
diff file, sorry about that.)
lex
|
|
|
|
|
Re: [Pound Mailing List] X-Forwarded-for header behaviour
Robert Segall <roseg(at)apsis.ch> |
2007-09-27 19:16:35 |
[ FULL ]
|
On Thu, 2007-09-27 at 10:27 +0100, Alex Hunsley wrote:[...]
See RFC 2616, chapter 4.2: multiple headers with the same name are the
same as one header with a comma-separated list of values.[...]
|
|
|
Re: [Pound Mailing List] X-Forwarded-for header behaviour
Jacques Caron <jc(at)oxado.com> |
2007-09-27 19:27:47 |
[ FULL ]
|
The HTTP specification (RFC2616) states that both forms are perfectly
acceptable and equivalent:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
[...]
Note that I believe that Apache actually does exactly that when
interpreting the headers, and in a CGI or equivalent environment
you'll get a single entry with all IPs separated by commas.
Jacques.
At 11:27 27/09/2007, Alex Hunsley wrote:[...]
|
|
|
Re: [Pound Mailing List] X-Forwarded-for header behaviour
Alex Hunsley <alex.hunsley(at)blueyonder.co.uk> |
2007-09-27 21:45:21 |
[ FULL ]
|
Robert Segall wrote:[...][...][...]
Ah, thanks!
Alex
|
|
|
Re: [Pound Mailing List] X-Forwarded-for header behaviour
Alex Hunsley <alex.hunsley(at)blueyonder.co.uk> |
2007-09-27 21:50:08 |
[ FULL ]
|
Jacques Caron wrote:[...][...][...]
Interesting, thanks.
Having Pound do the variant where they all go into one header is
actually very useful for me, because I want a pound instance behind the
front one to use the compressed version of the X-Forwarded-For header in
its entirety, rather than the first value found (i.e. first proxy which
set the header in the chain).
Alex
[...][...][...]
|
|
|
Re: [Pound Mailing List] X-Forwarded-for header behaviour
Rune Saetre <rune.saetre(at)netcom-gsm.no> |
2007-09-27 22:56:28 |
[ FULL ]
|
Hi
I feel that pound should continue appending its own separate
X-Forwarded-For header as it does today, since it should not be Pound's
task to rewrite the structure of the X-Forwarded-For headers.
If this logic should be implemented anywhere it should be in a separate
session tracker for X-Forwarded-For headers. I think Session Type HEADER
should use the value of the header verbatim, and not anything rewritten in
any way.
Regards
Rune
---
Rune Sætre <rune.saetre(at)netcom-gsm.no>
NetCom as
..
On Thu, 27 Sep 2007, Alex Hunsley wrote:
[...][...]
>>> Multiple message-header fields with the same field-name MAY be
present in
>>> a message if and only if the entire field-value for that header
field is
>>> defined as a comma-separated list [i.e., #(values)]. It MUST be
possible
>>> to combine the multiple header fields into one "field-name:
field-value"
>>> pair, without changing the semantics of the message, by appending
each
>>> subsequent field-value to the first, each separated by a comma.
The order
>>> in which header fields with the same field-name are received is
therefore
>>> significant to the interpretation of the combined field value, and
thus a
>>> proxy MUST NOT change the order of these field values when a
message is
>>> forwarded.[...][...][...]
>>> I've just confirmed that Pound's behaviour regarding the
X-Forwarded-for
>>> header appears to be incorrect.
>>>
>>> According to the page http://en.wikipedia.org/wiki/X-Forwarded-For,
>>> successive IP addresses should be appended to the one header,
e.g.:
>>>
>>> X-Forwarded-for: 1.2.3.4, 5.6.7.8, 9.10.11.12
>>>
>>> whereas pound is doing this:
>>>
>>> X-Forwarded-for: 1.2.3.4
>>> X-Forwarded-for: 5.6.7.8
>>> X-Forwarded-for: 9.10.11.12
>>>
>>> I'm not actually even sure if repeating a header is 'allowed' in
itself
>>> according to the standards....
>>>
>>> Am looking at the code, if I manage to make a patch, I'll send it
here.
>>> lex
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch.
>>> Please contact roseg(at)apsis.ch for questions.[...][...]
|
|
|
|
