[Django] #30729: Forwarded Header
Django
-----------------------------------------+------------------------
Reporter: Ben Stähli | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+------------------------
As seen here https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Forwarded the Forwarded header seems to become
the new and standardized way to define the forwarded ip/protocol when
using a proxy. And to superseed the existing X-Forwarded-
For/Proto/Protocol/etc headers.
A quick glimpse in into the code looks like currently there is still the
"legacy" approach used. Are there any plans to use the new header?
--
Ticket URL: <https://code.djangoproject.com/ticket/30729>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
-------------------------------+--------------------------------------
Reporter: Ben Stähli | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Description changed by Ben Stähli:
Old description:
> As seen here https://developer.mozilla.org/en-
> US/docs/Web/HTTP/Headers/Forwarded the Forwarded header seems to become
> the new and standardized way to define the forwarded ip/protocol when
> using a proxy. And to superseed the existing X-Forwarded-
> For/Proto/Protocol/etc headers.
>
> A quick glimpse in into the code looks like currently there is still the
> "legacy" approach used. Are there any plans to use the new header?
New description:
As seen here https://developer.mozilla.org/en-
US/docs/Web/HTTP/Headers/Forwarded the Forwarded header seems to become
the new and standardized way to define the forwarded ip/protocol when
using a proxy. And to superseed the existing (well established) X
-Forwarded-For/Proto/Protocol/etc headers.
A quick glimpse in into the code looks like currently there is still the
"legacy" approach used. Are there any plans to use the new header?
--
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:1>
Django
-------------------------------+--------------------------------------
Reporter: Ben Stähli | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Claude Paroz):
Can you tell us a bit more about the current adoption state of this
header?
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:2>
Django
-------------------------------+--------------------------------------
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 2.2
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ben Stähli):
Not really. But it would be a good thing to go ahead and support it,
otherwise it will never be adopted. Also, it is an RFC, so I guess it will
probably become the new standard. Tomorrow, or in some years only, who
knows.
A quick research shows that some frameworks are discussing it.
-
https://duckduckgo.com/?q=is+RFC-7239+forwarded+support&t=canonical&ia=web
- https://github.com/aspnet/AspNetCore/issues/5978
- https://issues.jboss.org/browse/UNDERTOW-1207?_sscc=t
- http://tomcat.10.x6.nabble.com/Bug-63080-New-Support-rfc7239-Forwarded-
header-td5081951.html
- https://groups.google.com/forum/#!msg/golang-
nuts/wc45kx0bsr8/BX1Dds8cAwAJ
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:3>
Django
Reporter: Ben Stähli | Owner: nobody
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Carlton Gibson):
* component: Uncategorized => HTTP handling
* type: Uncategorized => New feature
* stage: Unreviewed => Someday/Maybe
Comment:
I'm tempted to say `needsinfo` here, but, yes there's the RFC so I guess
we should pick it up at some point.
A case insenstive search for `x[-_]forwarded` doesn't turn up too many
results, so in theory it's easy enough... **but** we'd need to think about
supporting both approaches, probably indefinitely, and provide decent
documentation around that, and a migration to the new header from the old
(ones).
I'd like to see some detail on all that before we say "Yes, let's go!
''Accepted''". As such we'll call it ''Someday/Maybe'' for now. (Happy to
see more detail and/or an adjustment if someone wants to push it forward.)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:4>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Santiago Basulto):
I'd be tempted to take over this. I'd like to know what would "add
support" involves. Is it just trusting hosts based on X-Forwarded as we do
with [x-forwarded-
host](https://docs.djangoproject.com/en/3.0/ref/settings/#use-x-forwarded-
host)?
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:5>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Ben Stähli):
add support means all aspects of the new header need to be covered. as far
as I can see, this touches at least these settings:
- SECURE_PROXY_SSL_HEADER
https://docs.djangoproject.com/en/3.0/ref/settings/#secure-proxy-ssl-
header
- USE_X_FORWARDED_HOST
https://docs.djangoproject.com/en/3.0/ref/settings/#use-x-forwarded-host
- USE_X_FORWARDED_PORT
https://docs.djangoproject.com/en/3.0/ref/settings/#use-x-forwarded-port
and, the parsing and security part is not to underestimate, as it's only
one header, that must be parsed.
Replying to [comment:5 Santiago Basulto]:
> I'd be tempted to take over this. I'd like to know what would "add
support" involves. Is it just trusting hosts based on X-Forwarded as we do
with [https://docs.djangoproject.com/en/3.0/ref/settings/#use-x-forwarded-
host x-forwarded-host]?
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:6>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Narbonne):
* cc: Narbonne (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:7>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Adam (Chainz) Johnson):
* cc: Adam (Chainz) Johnson (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:8>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Maciej Olko):
* cc: Maciej Olko (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:9>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by braiam):
* cc: braiam (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:10>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ülgen Sarıkavak):
* cc: Ülgen Sarıkavak (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:11>
Django
-------------------------------+-----------------------------------------
Component: HTTP handling | Version: 2.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Someday/Maybe
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Ryan Hiebert):
* cc: Ryan Hiebert (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/30729#comment:12>