Fixed #2552 -- Added SetRemoteAddrFromForwardedFor middleware and documentation. Thanks, Ian Holsman

git-svn-id: http://code.djangoproject.com/svn/django/trunk@3602 bcc190cf-cafb-0310-a4f2-bffc1f526a37

1 files changed, 17 insertions, 1 deletions

diff --git a/docs/middleware.txt b/docs/middleware.txt
index bad00fd890..efc4d89569 100644
--- a/docs/middleware.txt
+++ b/docs/middleware.txt
@@ -63,7 +63,7 @@ Adds a few conveniences for perfectionists:
   last component in the path contains a period. So ``foo.com/bar`` is
   redirected to ``foo.com/bar/``, but ``foo.com/bar/file.txt`` is passed
   through unchanged.
-  
+
   If ``PREPEND_WWW`` is ``True``, URLs that lack a leading "www." will be
   redirected to the same URL with a leading "www."
 
@@ -101,6 +101,22 @@ Handles conditional GET operations. If the response has a ``ETag`` or
 Also removes the content from any response to a HEAD request and sets the
 ``Date`` and ``Content-Length`` response-headers.
 
+django.middleware.http.SetRemoteAddrFromForwardedFor
+----------------------------------------------------
+
+**New in Django development version**
+
+Sets ``request['REMOTE_ADDR']`` based on ``request.['HTTP_X_FORWARDED_FOR']``,
+if the latter is set. This is useful if you're sitting behind a reverse proxy
+that causes each request's ``REMOTE_ADDR`` to be set to ``127.0.0.1``.
+
+**Important note:** This does NOT validate ``HTTP_X_FORWARDED_FOR``. If you're
+not behind a reverse proxy that sets ``HTTP_X_FORWARDED_FOR`` automatically, do
+not use this middleware. Anybody can spoof the value of
+``HTTP_X_FORWARDED_FOR``, and because this sets ``REMOTE_ADDR`` based on
+``HTTP_X_FORWARDED_FOR``, that means anybody can "fake" their IP address. Only
+use this when you can absolutely trust the value of ``HTTP_X_FORWARDED_FOR``.
+
 django.contrib.sessions.middleware.SessionMiddleware
 ----------------------------------------------------