Skip to content

Commit

Permalink
Document why REMOTE_ADD may not be the user's IP
Browse files Browse the repository at this point in the history 
Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of
the `X-Forwared-For` header if received from a trusted upstream client.  This
was a violation of RFC 3875 CGI Version 1.1, and was hence removed.

Close: benoitc#1035
PR-URL: benoitc#1037
Related: benoitc#633

Signed-off-by: Hans Kristian Flaatten <hans.kristian.flaatten@turistforeningen.no>
  • Loading branch information
Hans Kristian Flaatten committed May 21, 2015
1 parent 03e5295 commit 8e6b5dc
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions docs/source/deploy.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,18 @@ Gunicorn may come from untrusted proxies or directly from clients since the
application may be tricked into serving SSL-only content over an insecure
connection.

Gunicorn v19 introduced a breaking change concerning how ``REMOTE_ADDR`` is
handled. Previous to Gunicorn v19 this was set to the value of
``X-Forwarded-For`` if recieved from a trusted proxy. However, this was not in
compliance with `RFC 3875 CGI Version 1.1 <http://www.ietf.org/rfc/rfc3875>`_
which is why the ``REMOTE_ADDR`` is now the IP address of **the proxy** and
**not the actual user**. You should instead configure Nginx to send the user's
IP address through the ``X-Forwarded-For`` header like this::

...
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
...

Using Virtualenv
================

Expand Down

0 comments on commit 8e6b5dc

Please sign in to comment.