django-user-sessions
django-user-sessions copied to clipboard
jazzband
Document how to override IP address (e.g. for reverse proxy)
When working with a reverse proxy in front of Django, request.META.get('REMOTE_ADDR', '') might not be set correctly. This is something that could easily be avoided by using e.g. django-ipware:
ipware.ip.get_ip(request)
This would unfortunately add a new requirement to django-user-sessions, but fix some issues in this project.
Happy to create a pull request if you want!
Hi @davidhalter. It might work for your situation, but not in general. Please refer to the explanation given in #12, #34 and #35 on why that is a bad idea.
I can understand the reasoning. However I think in this case you should provide a way to configure a function that returns the IP address.
There is already a way to provide the correct IP address. For example I use the following middleware on heroku:
class SetRemoteAddrFromForwardedFor(object):
def process_request(self, request):
try:
real_ip = request.META['HTTP_X_FORWARDED_FOR']
except KeyError:
pass
else:
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
# Take just the first one.
real_ip = real_ip.split(",")[0]
request.META['REMOTE_ADDR'] = real_ip
However it might be good to include such information in the documentation.
I'm using something similar. However this is IMO not how configuration management should be working. IMO the function to get the IP should be configurable, receive a request object, and return an IP.
I came here looking for this exact solution. Your middleware code looks good and I will implement it. However given the answer in this stack overflow, you might want to consider using the last ip address in x-forwarded-for instead of the first, at least on heroku.
@snoepkast thanks for the information, the snippet should indeed be updated. This is also a great example on why this package doesn't consider X-Forwarded-For headers. Every platform is different and this particular header is implementation specific.