[Twisted-web] internal vs. external hostname in Request.getHost9)
Glyph Lefkowitz
glyph at twistedmatrix.com
Tue Mar 21 00:04:08 MDT 2017
> On Mar 20, 2017, at 12:23 PM, Ilya Skriblovsky <ilyaskriblovsky at gmail.com> wrote:
>
> This thread is mostly about X-Forwarded-Host & X-Forwarded-Proto because the original issue was inability of Twisted Web server to obtain it's public hostname. X-Forwarded-For is another (and probably more complex) story.
Note that the Forwarded header that Tom proposed actually has support for all 4 of these sub-headers:
https://tools.ietf.org/html/rfc7239#section-5.3
Just as a point of standards compliance, I'd really like to see support for the standard Forwarded: and non-standard X-Forwarded-...: variants at the same time, since these are just different syntaxes for the same thing.
(Worth noting, I think, that while 'forwarded for' can be spoofed by the client, any client that can set 'forwarded host' can also just set 'host', so there's no security issue here.)
> Django indeed dropped support for X-Forwarded-For, but it does support X-Forwarded-Host [1] and X-Forwarded-Proto [2] on opt-in basis.
>
> I'm agree that none of the headers should be trusted by default and that opting-in should be done at Site level.
Great, glad to here we're in agreement there.
-glyph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-web/attachments/20170320/83b4a7da/attachment.html>
More information about the Twisted-web
mailing list