+from django.core.exceptions import MiddlewareNotUsed
from django.utils.http import http_date
- Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the
- latter is set. This is useful if you're sitting behind a reverse proxy that
- causes each request's REMOTE_ADDR to be set to 127.0.0.1.
- Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind
- a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use
- this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and
- because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means
- anybody can "fake" their IP address. Only use this when you can absolutely
- trust the value of HTTP_X_FORWARDED_FOR.
+ This middleware has been removed; see the Django 1.1 release notes for
+ It previously set REMOTE_ADDR based on HTTP_X_FORWARDED_FOR. However, after
+ investiagtion, it turns out this is impossible to do in a general manner:
+ different proxies treat the X-Forwarded-For header differently. Thus, a
+ built-in middleware can lead to application-level security problems, and so
+ this was removed in Django 1.1
- def process_request(self, request):
- real_ip = request.META['HTTP_X_FORWARDED_FOR']
- # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The
- # client's IP will be the first one.
- real_ip = real_ip.split(",").strip()
- request.META['REMOTE_ADDR'] = real_ip
+ warnings.warn("SetRemoteAddrFromForwardedFor has been removed. "
+ "See the Django 1.1 release notes for details.",
+ raise MiddlewareNotUsed()