Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Plack-Middleware-ReverseProxy CPAN distribution.

Report information
The Basics
Id:
74778
Status:
open
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
bobtfish [...] bobtfish.net
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
0.11
Fixed in:
(no value)



Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 601
I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that $env->{HTTP_HOST} and $env->{REMOTE_ADDR} are. It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your proxy server, rather than the end user. This causes Plack::Request's ->remote_addr method to return the proxy, rather than the end user - which is unexpected. This issue is also present in Catalyst, which has the same behavior - this ticket is from a user bug report, and I'm assuming it is a bug rather than deliberate as it isn't documented, and the behavior is inconsistent between the two REMOTE_ keys.
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
Content-Disposition: inline
Content-Type: text/plain; charset="UTF-8"
Message-ID: <rt-3.8.HEAD-17369-1328709748-1407.74778-0-0@rt.cpan.org>
Content-Transfer-Encoding: binary
X-RT-Original-Encoding: utf-8
Content-Length: 1017
13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in P:M::ReverseProxy 13:48 -!- jnap [~johnn@38.112.1.90] has joined #catalyst 13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3 13:49 <koki> t0m: your opinion on that? 13:51 <koki> http://search.cpan.org/~miyagawa/Plack-0.9985/lib/Plack/Request.pm 13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want to use to build URIs out of 13:51 <koki> if you look at the attributes section 13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of P:M:ReverseProxy 13:56 -!- frew [frew@warpedreality.org] has quit [Quit: halp I'm drowning] 13:57 -!- frew [frew@warpedreality.org] has joined #catalyst 13:57 -!- mode/#catalyst [+o frew] by GumbyNET4 14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of tuits to be looking at it any more in the middle of the work day 14:01 <koki> ok 14:01 <koki> sorry ... be blessed with the happyness 14:02 <koki> it's not crucial, ... not for me
From miyagawa@gmail.com Wed Feb 8 12: 50:44 2012
MIME-Version: 1.0
X-Spam-Status: No, score=-1.479 tagged_above=-99.9 required=10 tests=[AWL=-0.260, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no
In-Reply-To: <rt-3.8.HEAD-17363-1328708729-362.74778-4-0@rt.cpan.org>
X-Mailer: sparrow 1.5 (build 1043.1)
X-Spam-Flag: NO
References: <RT-Ticket-74778@rt.cpan.org> <rt-3.8.HEAD-17363-1328708729-362.74778-4-0@rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <31DBC8246E2C42D2B0B69040BC1EECC8@gmail.com>
Content-Type: multipart/alternative; boundary="4f32b5dc_721da317_86"
X-Spam-Score: -1.479
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i=@gmail.com
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id BAF09241425 for <cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com>; Wed, 8 Feb 2012 12:50:42 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id br5aWBm+fLFQ for <cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com>; Wed, 8 Feb 2012 12:50:40 -0500 (EST)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 618792412BB for <bug-Plack-Middleware-ReverseProxy@rt.cpan.org>; Wed, 8 Feb 2012 12:50:37 -0500 (EST)
Received: (qmail 22181 invoked by uid 103); 8 Feb 2012 17:50:36 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 8 Feb 2012 17:50:36 -0000
Received: from mail-pw0-f50.google.com (HELO mail-pw0-f50.google.com) (209.85.160.50) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Wed, 08 Feb 2012 09:50:32 -0800
Received: by pbcwy7 with SMTP id wy7so258963pbc.9 for <bug-Plack-Middleware-ReverseProxy@rt.cpan.org>; Wed, 08 Feb 2012 09:50:30 -0800 (PST)
Received: by 10.68.216.227 with SMTP id ot3mr71760268pbc.18.1328723430087; Wed, 08 Feb 2012 09:50:30 -0800 (PST)
Received: from P305.local (70-36-146-215.dsl.dynamic.sonic.net. [70.36.146.215]) by mx.google.com with ESMTPS id i10sm3078pbg.10.2012.02.08.09.50.25 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 08 Feb 2012 09:50:28 -0800 (PST)
Delivered-To: cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com
Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Return-Path: <miyagawa@gmail.com>
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:message-id:in-reply-to:references:subject:x-mailer :mime-version:content-type; bh=BR7doz2t/QAYJI8z3pyaaVENRLWtGXEDzIc2O6fOymM=; b=APPUVhHkjQXTdyW8+zVjlZiDdPCJSsop4fNq7M75JUz42cSQKexReUAoByZiVxl1BN o7Ux0BZ4zHB0VusQIaIHjpnXn7jOuAU/n/vsWCwQfkprJL9pQRNGLQkaIvKGrkYu6x2t FAXLc8Qc5Gh5EhNv4bf6a8bx2nabM0mwJoqNE=
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com
X-RT-Mail-Extension: plack-middleware-reverseproxy
Date: Wed, 8 Feb 2012 09:50:20 -0800
X-Spam-Level:
To: bug-Plack-Middleware-ReverseProxy@rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa@gmail.com>
RT-Message-ID: <rt-3.8.HEAD-1148-1328723445-374.74778-0-0@rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 1458
Content-Type: text/html; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 2635
I think it makes sense to override REMOTE_HOST in the same way it does for REMOTE_ADDR. I'd expect frontend servers will only set IP address, not the host names in X-Forwarded-For header, but the CGI spec says:

REMOTE_HOST = "" | hostname | hostnumber

so it's fine to store the IP address to REMOTE_HOST.



-- 
Tatsuhiko Miyagawa

On Wednesday, February 8, 2012 at 5:45 AM, Tomas Doran via RT wrote:

Show quoted text
Wed Feb 08 08:45:29 2012: Request 74778 was acted upon.
Transaction: Ticket created by BOBTFISH
Queue: Plack-Middleware-ReverseProxy
Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Broken in: 0.11
Severity: Important
Owner: Nobody
Status: new


I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that
$env->{HTTP_HOST} and $env->{REMOTE_ADDR} are.

It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your
proxy server, rather than the end user.

This causes Plack::Request's ->remote_addr method to return the proxy,
rather than the end user - which is unexpected.

This issue is also present in Catalyst, which has the same behavior -
this ticket is from a user bug report, and I'm assuming it is a bug
rather than deliberate as it isn't documented, and the behavior is
inconsistent between the two REMOTE_ keys.

From miyagawa@gmail.com Wed Feb 8 12: 51:59 2012
MIME-Version: 1.0
X-Spam-Status: No, score=-1.442 tagged_above=-99.9 required=10 tests=[AWL=-0.223, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_NEUTRAL=0.779] autolearn=no
In-Reply-To: <rt-3.8.HEAD-17369-1328709748-189.74778-5-0@rt.cpan.org>
X-Mailer: sparrow 1.5 (build 1043.1)
X-Spam-Flag: NO
References: <RT-Ticket-74778@rt.cpan.org> <rt-3.8.HEAD-17369-1328709748-189.74778-5-0@rt.cpan.org>
X-Virus-Checked: Checked by ClamAV on 16.mx.develooper.com
X-Virus-Scanned: Debian amavisd-new at bestpractical.com
Message-ID: <32D73F6A543646219C4265610020B280@gmail.com>
Content-Type: multipart/alternative; boundary="4f32b632_6763845e_86"
X-Spam-Score: -1.442
Authentication-Results: hipster.bestpractical.com (amavisd-new); dkim=pass header.i=@gmail.com
Received: from localhost (localhost [127.0.0.1]) by hipster.bestpractical.com (Postfix) with ESMTP id A9C26241425 for <cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com>; Wed, 8 Feb 2012 12:51:59 -0500 (EST)
Received: from hipster.bestpractical.com ([127.0.0.1]) by localhost (hipster.bestpractical.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4fwr9UGo+Vep for <cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com>; Wed, 8 Feb 2012 12:51:58 -0500 (EST)
Received: from la.mx.develooper.com (x1.develooper.com [207.171.7.70]) by hipster.bestpractical.com (Postfix) with SMTP id 6E9342412BB for <bug-Plack-Middleware-ReverseProxy@rt.cpan.org>; Wed, 8 Feb 2012 12:51:58 -0500 (EST)
Received: (qmail 22276 invoked by uid 103); 8 Feb 2012 17:51:57 -0000
Received: from x16.dev (10.0.100.26) by x1.dev with QMQP; 8 Feb 2012 17:51:57 -0000
Received: from mail-pz0-f50.google.com (HELO mail-pz0-f50.google.com) (209.85.210.50) by 16.mx.develooper.com (qpsmtpd/0.80/v0.80-19-gf52d165) with ESMTP; Wed, 08 Feb 2012 09:51:55 -0800
Received: by dadp19 with SMTP id p19so973142dad.9 for <bug-Plack-Middleware-ReverseProxy@rt.cpan.org>; Wed, 08 Feb 2012 09:51:53 -0800 (PST)
Received: by 10.68.239.229 with SMTP id vv5mr70376157pbc.88.1328723513033; Wed, 08 Feb 2012 09:51:53 -0800 (PST)
Received: from P305.local (70-36-146-215.dsl.dynamic.sonic.net. [70.36.146.215]) by mx.google.com with ESMTPS id p2sm4688537pbb.14.2012.02.08.09.51.50 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 08 Feb 2012 09:51:52 -0800 (PST)
Delivered-To: cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com
Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Return-Path: <miyagawa@gmail.com>
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=date:from:to:message-id:in-reply-to:references:subject:x-mailer :mime-version:content-type; bh=Krl/4vba3OjeNg+wh3ywU9xrGCu32gOouH7ORjq7+RA=; b=kokVo5kr1DspuuJt/ZYac/TCD4div/7cCfl3wib4Ez/IC6J67ZVa+FRNg1t325HHiH Vn3OzOYpAZr3dqZt0ZQDwJGZODY9QFqmAnvgsN1eLihuk4JCSEaqLrMuAqNfXxEf/hTt 5iN6DOh2sMfI4rV5R9ubDaPaujlWYW0Ia/iUU=
X-Spam-Check-BY: 16.mx.develooper.com
X-Original-To: cpan-bug+Plack-Middleware-ReverseProxy@hipster.bestpractical.com
X-RT-Mail-Extension: plack-middleware-reverseproxy
Date: Wed, 8 Feb 2012 09:51:46 -0800
X-Spam-Level:
To: bug-Plack-Middleware-ReverseProxy@rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa@gmail.com>
RT-Message-ID: <rt-3.8.HEAD-17363-1328723520-1340.74778-0-0@rt.cpan.org>
Content-Length: 0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
X-RT-Original-Encoding: utf-8
Content-Length: 1487
Content-Type: text/html; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-RT-Original-Encoding: utf-8
Content-Length: 2583
I honestly think HTTP_HOST doesn't really matter here - HTTP_HOST means what browser sends in Host: header, and should not be changed in the most configurations.

-- 
Tatsuhiko Miyagawa

On Wednesday, February 8, 2012 at 6:02 AM, Klaus Ita via RT wrote:

Show quoted text
Queue: Plack-Middleware-ReverseProxy

13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in
P:M::ReverseProxy
13:48 -!- jnap [~johnn@38.112.1.90] has joined #catalyst
13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3
13:49 <koki> t0m: your opinion on that?
13:51 <koki>
13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want
to use
to build URIs out of
13:51 <koki> if you look at the attributes section
13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of
P:M:ReverseProxy
13:56 -!- frew [frew@warpedreality.org] has quit [Quit: halp I'm drowning]
13:57 -!- frew [frew@warpedreality.org] has joined #catalyst
13:57 -!- mode/#catalyst [+o frew] by GumbyNET4
14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of
tuits to
be looking at it any more in the middle of the work day
14:01 <koki> ok
14:01 <koki> sorry ... be blessed with the happyness
14:02 <koki> it's not crucial, ... not for me



This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.