Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ProxyMiddleware #5607

Merged
merged 5 commits into from
May 9, 2019
Merged

Remove ProxyMiddleware #5607

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5e1db03
Remove proxy middleware
dojutsu-user Apr 18, 2019
a4a55e4
return remote_addr
dojutsu-user Apr 19, 2019
294700d
take port number into consideration
dojutsu-user Apr 20, 2019
613290a
Add tests
dojutsu-user Apr 23, 2019
f89fc24
Fix code
dojutsu-user Apr 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions readthedocs/analytics/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,23 @@


def get_client_ip(request):
"""Gets the real IP based on a request object."""
ip_address = request.META.get('REMOTE_ADDR')
"""
Gets the real client's IP address.

It returns the real IP address of the client based on ``HTTP_X_FORWARDED_FOR``
header. If the header is not found, it returns ``None``.
"""

x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR', '')

# Get the original IP address (eg. "X-Forwarded-For: client, proxy1, proxy2")
x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR', '').split(',')[0]
if x_forwarded_for:
ip_address = x_forwarded_for.rsplit(':')[0]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic was removed and also shouldn't be. The X-Forwarded-For header is not exactly a standard but some implementations include a port number. This line strips that port number.

This function is correct and working as-is. Is there a reason to change it? I do appreciate comments which capture the reasoning though.

Copy link
Member Author

@dojutsu-user dojutsu-user Apr 20, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidfischer

The X-Forwarded-For header is not exactly a standard but some implementations include a port number.

Thank you for this information. I didn't found this while searching about the header and removed this line thinking that it can produce bugs.
I have updated the code.

Is there a reason to change it?

The only reason was the readability and to improve comments.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add tests for this also.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ericholscher
I have added the tests.

# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
# The client's IP will be the first one.
# (eg. "X-Forwarded-For: client, proxy1, proxy2")
real_ip = x_forwarded_for.split(',')[0].strip()
return real_ip

return ip_address
return None
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's two cases here and these changes neglect one of them:

  • If X-Forwarded-For is present, this function should return the first value from the comma separated list. Arguably, it could validate that it is a real IP address, but that isn't that important.
  • If X-Forwarded-For is not present, this function should return the value from REMOTE_ADDR. This implementation returns None.

This function is used in advertising code for geo-targeting as well as being used for server side analytics (currently used in advertising but in the future might replace Google Analytics JS) but the middleware can be safely removed.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidfischer
Thank you for the information.
I have updated the PR.

Will there be any case in which both of these headers are not found? Currently the implementation returns None in that case.



def anonymize_ip_address(ip_address):
Expand Down
28 changes: 0 additions & 28 deletions readthedocs/core/middleware.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,34 +186,6 @@ def process_request(self, request):
return None


# Forked from old Django
class ProxyMiddleware(MiddlewareMixin):

"""
Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the.

latter is set. This is useful if you're sitting behind a reverse proxy that
causes each request's REMOTE_ADDR to be set to 127.0.0.1. Note that this
does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind a reverse proxy
that sets HTTP_X_FORWARDED_FOR automatically, do not use this middleware.
Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and because this sets
REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means anybody can "fake"
their IP address. Only use this when you can absolutely trust the value of
HTTP_X_FORWARDED_FOR.
"""

def process_request(self, request):
try:
real_ip = request.META['HTTP_X_FORWARDED_FOR']
except KeyError:
return None
else:
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The
# client's IP will be the first one.
real_ip = real_ip.split(',')[0].strip()
request.META['REMOTE_ADDR'] = real_ip


class FooterNoSessionMiddleware(SessionMiddleware):

"""
Expand Down
1 change: 0 additions & 1 deletion readthedocs/settings/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,6 @@ def USE_PROMOS(self): # noqa
return 'readthedocsext.donate' in self.INSTALLED_APPS

MIDDLEWARE = (
'readthedocs.core.middleware.ProxyMiddleware',
'readthedocs.core.middleware.FooterNoSessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
Expand Down