Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Plack-Middleware-ReverseProxy CPAN distribution.

Report information
The Basics
Id:
74778
Status:
open
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
bobtfish [...] bobtfish.net
Cc:
AdminCc:

BugTracker
Severity:
Important
Broken in:
0.11
Fixed in:
(no value)



Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that $env->{HTTP_HOST} and $env->{REMOTE_ADDR} are. It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your proxy server, rather than the end user. This causes Plack::Request's ->remote_addr method to return the proxy, rather than the end user - which is unexpected. This issue is also present in Catalyst, which has the same behavior - this ticket is from a user bug report, and I'm assuming it is a bug rather than deliberate as it isn't documented, and the behavior is inconsistent between the two REMOTE_ keys.
13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in P:M::ReverseProxy 13:48 -!- jnap [~johnn@38.112.1.90] has joined #catalyst 13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3 13:49 <koki> t0m: your opinion on that? 13:51 <koki> http://search.cpan.org/~miyagawa/Plack-0.9985/lib/Plack/Request.pm 13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want to use to build URIs out of 13:51 <koki> if you look at the attributes section 13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of P:M:ReverseProxy 13:56 -!- frew [frew@warpedreality.org] has quit [Quit: halp I'm drowning] 13:57 -!- frew [frew@warpedreality.org] has joined #catalyst 13:57 -!- mode/#catalyst [+o frew] by GumbyNET4 14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of tuits to be looking at it any more in the middle of the work day 14:01 <koki> ok 14:01 <koki> sorry ... be blessed with the happyness 14:02 <koki> it's not crucial, ... not for me
Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Date: Wed, 8 Feb 2012 09:50:20 -0800
To: bug-Plack-Middleware-ReverseProxy@rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa@gmail.com>
I think it makes sense to override REMOTE_HOST in the same way it does for REMOTE_ADDR. I'd expect frontend servers will only set IP address, not the host names in X-Forwarded-For header, but the CGI spec says:

REMOTE_HOST = "" | hostname | hostnumber

so it's fine to store the IP address to REMOTE_HOST.



-- 
Tatsuhiko Miyagawa

On Wednesday, February 8, 2012 at 5:45 AM, Tomas Doran via RT wrote:

Show quoted text
Wed Feb 08 08:45:29 2012: Request 74778 was acted upon.
Transaction: Ticket created by BOBTFISH
Queue: Plack-Middleware-ReverseProxy
Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Broken in: 0.11
Severity: Important
Owner: Nobody
Status: new


I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that
$env->{HTTP_HOST} and $env->{REMOTE_ADDR} are.

It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your
proxy server, rather than the end user.

This causes Plack::Request's ->remote_addr method to return the proxy,
rather than the end user - which is unexpected.

This issue is also present in Catalyst, which has the same behavior -
this ticket is from a user bug report, and I'm assuming it is a bug
rather than deliberate as it isn't documented, and the behavior is
inconsistent between the two REMOTE_ keys.

Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Date: Wed, 8 Feb 2012 09:51:46 -0800
To: bug-Plack-Middleware-ReverseProxy@rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa@gmail.com>
I honestly think HTTP_HOST doesn't really matter here - HTTP_HOST means what browser sends in Host: header, and should not be changed in the most configurations.

-- 
Tatsuhiko Miyagawa

On Wednesday, February 8, 2012 at 6:02 AM, Klaus Ita via RT wrote:

Show quoted text
Queue: Plack-Middleware-ReverseProxy

13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in
P:M::ReverseProxy
13:48 -!- jnap [~johnn@38.112.1.90] has joined #catalyst
13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3
13:49 <koki> t0m: your opinion on that?
13:51 <koki>
13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want
to use
to build URIs out of
13:51 <koki> if you look at the attributes section
13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of
P:M:ReverseProxy
13:56 -!- frew [frew@warpedreality.org] has quit [Quit: halp I'm drowning]
13:57 -!- frew [frew@warpedreality.org] has joined #catalyst
13:57 -!- mode/#catalyst [+o frew] by GumbyNET4
14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of
tuits to
be looking at it any more in the middle of the work day
14:01 <koki> ok
14:01 <koki> sorry ... be blessed with the happyness
14:02 <koki> it's not crucial, ... not for me



This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.