How to fix request.client_addr

[Zsolt Ero]

I got a weird bug, in which request.client_addr was reported as 192.168.76.75:52411, which broke a function which expected it to be a standard IP address. In the documentation I've read that this could be anything, so I guess this isn't a surprise.

I am using CloudFlare -> nginx -> gunicorn -> pyramid setup. These were the headers of that request:

X-Forwarded-For 192.168.76.75:52411,67.133.63.210, 108.162.246.204

Cf-Connecting-Ip 67.133.63.210

My question is that since I'm using CloudFlare and I know that Cf-Connecting-Ip is a reliable, trustable source of IP address, unlike X-Forwarded-For. How should I modify my request.client_addr to use this value whenever it is present?

Zsolt

[Bert JW Regeer]

Set up the WSGI environment appropriately, replacing the X-Forwarded-For with the value of Cf-Connecting-Ip.

Bert

> --
> You received this message because you are subscribed to the Google Groups "pylons-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discus...@googlegroups.com.
> To post to this group, send email to pylons-...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/e643ca5d-763e-45bd-b077-d09b448b2fb8%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Zsolt Ero]

Hi, can you guide me how is it best to do it? I'm using nginx -> gunicorn -> pyramid, where should I be modifying the WSGI environment?

[Jonathan Vanasco]

You can do this in nginx.

Cloudflare publishes a list of trusted ips; the nginx set_real_ip module will only apply the real-ip header to those matching ips.

https://support.cloudflare.com/hc/en-us/articles/200170706-How-do-I-restore-original-visitor-IP-with-Nginx-

you could do it in python, but it would be easier to just enable the nginx module

[Zsolt Ero]

Thanks, that's a great howto, unfortunately, I'd need to compile nginx
from sources to get that module.

> --
> You received this message because you are subscribed to a topic in the
> Google Groups "pylons-discuss" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/pylons-discuss/3dh4lS1PVog/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to

> pylons-discus...@googlegroups.com.
> To post to this group, send email to pylons-...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/pylons-discuss/3976a70a-3e60-41f1-a94f-3afb6048637f%40googlegroups.com.

[Jonathan Vanasco]

On Thursday, April 28, 2016 at 9:47:50 PM UTC-4, Zsolt Ero wrote:

Thanks, that's a great howto, unfortunately, I'd need to compile nginx
from sources to get that module.

Unless you don't have root access, compiling nginx from source is honestly the best way to deploy your server.  nginx has frequent releases, and the linux distros are all way behind.  it's a very simple build from source too.

You could also contact cloudflare and see if they're willing to build/distribute a uwsgi middleware that can handle this for the greater python community (pyramid, django, cherrypy, etc).

but the best option would be handling this in nginx, which should also improve your server logs as well.

FYI cloudflare uses nginx internally and their staff are behind the openresty project.  many nginx core modules and much recent functionality originated in openresty.