Django-rest-framework: Throttling - NUM_PROXIES

Created on 7 Aug 2015  路  5Comments  路  Source: encode/django-rest-framework

According Wikipedia:

The general format of the field is:
X-Forwarded-For: client, proxy1, proxy2

But the DRF Doc on Throttling:

If set to non-zero then the client IP will be identified as being the last IP address in the X-Forwarded-For header, once any application proxy IP addresses have first been excluded.

If my goal is to get the Client IP, shouldn't this always be the first IP address in the header?

Right now if my X-Forwarded-For header contains "client, proxy1, proxy2" and I set NUM_PROXIES to 2, get_ident() returns "proxy1".

I'm not sure if I'm missing something here or if this is a bug?

picture niekbaeten
👍1

Most helpful comment

If my goal is to get the Client IP, shouldn't this always be the first IP address in the header?

Nope - it needs to be the IP immediately prior to the proxy IPs, because that's the only one you can trust, as that IP has been added to the list by a server under your control. Any other IPs prior to that could simply have been included by the client.

So...

[ip] [ip] [proxy-ip] [proxy-ip]
       ^
     we can trust this one, only

Eg from the wikipedia entry...

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

In the example you've given...

X-Forwarded-For: client, proxy1, proxy2

We should be excluding proxy1 and proxy2, and then including the last item in the list (which is now just client) However note that the number of proxies involved in this case is not 2, but 3...

the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header

picture tomchristie on 7 Aug 2015
👍2

All 5 comments

If my goal is to get the Client IP, shouldn't this always be the first IP address in the header?

Nope - it needs to be the IP immediately prior to the proxy IPs, because that's the only one you can trust, as that IP has been added to the list by a server under your control. Any other IPs prior to that could simply have been included by the client.

So...

[ip] [ip] [proxy-ip] [proxy-ip]
       ^
     we can trust this one, only

Eg from the wikipedia entry...

Since it is easy to forge an X-Forwarded-For field the given information should be used with care. The last IP address is always the IP address that connects to the last proxy, which means it is the most reliable source of information. X-Forwarded-For data can be used in a forward or reverse proxy scenario.

In the example you've given...

X-Forwarded-For: client, proxy1, proxy2

We should be excluding proxy1 and proxy2, and then including the last item in the list (which is now just client) However note that the number of proxies involved in this case is not 2, but 3...

the last proxy IP address in a chain is not contained within the X-Forwarded-For field, it is in the actual IP header

tomchristie picture tomchristie on 7 Aug 2015
👍2

I see, thanks for the explanation.

niekbaeten picture niekbaeten on 7 Aug 2015

However note that the number of proxies involved in this case is not 2, but 3...

>
This MUST be in the documentation. I've lost 1 day searching for this answer :)

appli-intramuros picture appli-intramuros on 8 Feb 2019

@appli-intramuros best to get this done would be to open a PR about it.

xordoquy picture xordoquy on 8 Feb 2019
👍1

@xordoquy I don't really know how to do it but I'll try.
Thanks.

appli-intramuros picture appli-intramuros on 8 Feb 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Lucidiot picture Lucidiot  路  3Comments
tomchristie picture tomchristie  路  3Comments
doctorallen picture doctorallen  路  3Comments
synic picture synic  路  3Comments
jpocentek picture jpocentek  路  3Comments