dreid at dreid.org
Thu Jan 19 10:24:01 MST 2006
Andrea Arcangeli wrote:
> This fixes one logging bug:
> 1) the web2.vhost seems buggy not fixing up the req.uri, I had to fixup
> req.uri to get logging right in my vhost hack that understand the
> twisted.web reverse proxy with clientPass=True (my old twisted.web patch)
Judging from the way Request actually deals with .uri it should be _uri,
I'll discuss this with foom and fix it later.
> 2) assuming that I had web2 on the reverse proxy, would it already pass
> down the remote_ip information, or only apache2 does that? (the only one
> capable of receiving the remote_ip is AutoVHostURIRewrite, but the
> deployment only talks about apache2, Also note for me it's fundamentally
> important for security reasons to have the port too, one needs the port
> to safely indentify a box behind a nat (assuming the nat admin is
> capable of logging all connection tracking but if he doesn't he will
> take the blame). Is the apache2/twisted.web2 reverseproxy protocol
> passing down the peer port too in the x-forwarded-host?
As far as I know twisted.web.proxy.ReverseProxyResource doesn't send
X-Forwarded-For. I don't think Apache2 sends the port. I'm not sure
what to do about this other than subclass and fix, it seems like a
pretty special case to me, perhaps security would be better provided
through another means, because as you said, it only works if the
connection tracking is logged. Which most SOHO devices don't do.
> 3) if answer to 2 is no, can I forward port to web2 my simple hack to
> twisted.web that I need in order to plug klive on top twisted.web2?
Twisted.web2 is backwards compatible, in that it knows what a
twisted.web resource expects, and is capable of translating them from
what Twisted.web2 uses (see twisted.web2.compat) You should be able to
just drop that exact ReverseProxyResource into a twisted.web2 tree and
have it work. (While you're at it you might as well patch it to send
the client via X-Forwarded-For (and send the other headers
AutoURIRewrite expects while you're at it))
> Here for reference my old patch that is running on cpushare.com today
> and that my web2 vhost hack is understanding and that passes down to
> klive both ip and port (setClient was actually used by the nevow.vhost,
> now obsoleted by web2 req.remoteAddr)
I'm not sure if tacking a :port onto the X-Forwarded-For header will
break other http servers.
> One more question, you said the channel is private, why don't we add __
> in front of it. Python is capable of autodocumenting without possibility
> for mistakes all private parts of a class.
Send me a patch (on or offlist) that changes chanRequest to _chanRequest
 See twisted coding standards:
More information about the Twisted-web