id,summary,reporter,owner,description,type,status,priority,milestone,component,resolution,keywords,cc,branch,branch_author,launchpad_bug
5807,something in twisted.web should respect (x-)forwarded-for on the server side,glyph,,"This should work vaguely the same way that `twisted.web.vhost.VHostMonsterResource` works.

  - `Request.getHost()` should return the forwarded-for host rather than the `Host:`.
  - `Request.isSecure` should return the security of the [http://tools.ietf.org/html/draft-petersson-forwarded-for-02#section-5.4 proto] parameter

Like `VHostMonster`, there should be some configuration required to get into this mode.  One mechanism for doing that would be to have a `ForwardedForParserResource`; however, since the connecting address is quite important, it may also be reasonable to build this directly into `Site`.  Trusting random forwarded-for headers off the internet would not be good, so it should be easy to specify what the address of the expected terminating proxy is.

Also, forwarded-for is a bit more expressive than the vhostmonster idiom in that it can describe multiple hops.  This additional information should be exposed through an explicit API - perhaps a new `forwardedFor` method on Resource that returns an iterable of objects describing the hosts that it was forwarded through.

See #5806, http://tools.ietf.org/html/draft-petersson-forwarded-for-02",enhancement,new,normal,,web,,,allister.macleod@…,,,