sean at monkeysnatchbanana.com
Fri Jul 11 08:59:38 EDT 2008
On Jul 11, 2008, at 6:17 AM, Graham Dumpleton wrote: > 2008/7/11 Sean Allen <sean at monkeysnatchbanana.com>: >> >> On Jul 10, 2008, at 10:07 PM, Graham Dumpleton wrote: >> >>>> We have one PostReadRequestHandler >>>> All the rest of RequestHandlers >>>> >>>> The PostReadRequestHandler does some across the board setup >>>> including >>>> setting >>>> the remote_ip in the connection to the value of X-Forwarded-For, >>>> if said >>>> header exists and if the connection is being proxied. >>> >>> Is that something which could be done by mod_headers or one of the >>> other modules available for fiddling with headers? >>> >>> Graham >> >> Well, the entire idea is that in mod_perl the remote_ip returns >> 127.0.0.1 >> and the X-Forwarded-For header has the actual real value. The >> PostReadRequestHandler >> corrects that so that code doesnt need to know if it is being >> proxied to or >> not. >> >> So that is a bit beyond what mod_headers does. I take it from the >> question, >> this could be an issue? > > Hmmm, you do realise though that the client IP cannot even really be > relied upon? For example, large ISPs often have all traffic from that > IP appearing as same client IP. This can often cause problems for > session based mechanisms which use client IP address in some way. I understand but we need to rely on them as much as possible for various legal reasons. For example, we need the ip address if someone asks for more info by filling out a form. If we mail them and they later complain and we dont have an ip address that they came from ( even an aggregated one ), isps tend to frown on you as its part of CAN-SPAM in the US to have to provide 'signup' url and ip address.