Skip Menu |
 
rt.cpan.org will be shut down on March 1st, 2021.

This queue is for tickets about the Plack-Middleware-ReverseProxy CPAN distribution.

Report information
The Basics
Id: 74778
Status: open
Priority: 0/
Queue: Plack-Middleware-ReverseProxy

People
Owner: Nobody in particular
Requestors: bobtfish [...] bobtfish.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: 0.11
Fixed in: (no value)



Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Download (untitled) / with headers
text/plain 601b
I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that $env->{HTTP_HOST} and $env->{REMOTE_ADDR} are. It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your proxy server, rather than the end user. This causes Plack::Request's ->remote_addr method to return the proxy, rather than the end user - which is unexpected. This issue is also present in Catalyst, which has the same behavior - this ticket is from a user bug report, and I'm assuming it is a bug rather than deliberate as it isn't documented, and the behavior is inconsistent between the two REMOTE_ keys.
Download (untitled) / with headers
text/plain 1017b
13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in P:M::ReverseProxy 13:48 -!- jnap [~johnn@38.112.1.90] has joined #catalyst 13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3 13:49 <koki> t0m: your opinion on that? 13:51 <koki> http://search.cpan.org/~miyagawa/Plack-0.9985/lib/Plack/Request.pm 13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want to use to build URIs out of 13:51 <koki> if you look at the attributes section 13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of P:M:ReverseProxy 13:56 -!- frew [frew@warpedreality.org] has quit [Quit: halp I'm drowning] 13:57 -!- frew [frew@warpedreality.org] has joined #catalyst 13:57 -!- mode/#catalyst [+o frew] by GumbyNET4 14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of tuits to be looking at it any more in the middle of the work day 14:01 <koki> ok 14:01 <koki> sorry ... be blessed with the happyness 14:02 <koki> it's not crucial, ... not for me
Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Date: Wed, 8 Feb 2012 09:50:20 -0800
To: bug-Plack-Middleware-ReverseProxy [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
Download (untitled) / with headers
text/plain 1.4k
I think it makes sense to override REMOTE_HOST in the same way it does for REMOTE_ADDR. I'd expect frontend servers will only set IP address, not the host names in X-Forwarded-For header, but the CGI spec says: REMOTE_HOST = "" | hostname | hostnumber so it's fine to store the IP address to REMOTE_HOST. -- Tatsuhiko Miyagawa On Wednesday, February 8, 2012 at 5:45 AM, Tomas Doran via RT wrote: Show quoted text
> Wed Feb 08 08:45:29 2012: Request 74778 was acted upon. > Transaction: Ticket created by BOBTFISH > Queue: Plack-Middleware-ReverseProxy > Subject: Does not replace REMOTE_HOST (but does replace REMOTE_ADDR) > Broken in: 0.11 > Severity: Important > Owner: Nobody > Requestors: bobtfish@bobtfish.net (mailto:bobtfish@bobtfish.net) > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74778 > > > > I'd expect $env->{REMOTE_HOST} to be overridden in the same manor that > $env->{HTTP_HOST} and $env->{REMOTE_ADDR} are. > > It isn't, meaning $env->{REMOTE_HOST} contains the name (or IP of) your > proxy server, rather than the end user. > > This causes Plack::Request's ->remote_addr method to return the proxy, > rather than the end user - which is unexpected. > > This issue is also present in Catalyst, which has the same behavior - > this ticket is from a user bug report, and I'm assuming it is a bug > rather than deliberate as it isn't documented, and the behavior is > inconsistent between the two REMOTE_ keys. > >
Subject: Re: [rt.cpan.org #74778] Does not replace REMOTE_HOST (but does replace REMOTE_ADDR)
Date: Wed, 8 Feb 2012 09:51:46 -0800
To: bug-Plack-Middleware-ReverseProxy [...] rt.cpan.org
From: Tatsuhiko Miyagawa <miyagawa [...] gmail.com>
Download (untitled) / with headers
text/plain 1.4k
I honestly think HTTP_HOST doesn't really matter here - HTTP_HOST means what browser sends in Host: header, and should not be changed in the most configurations. -- Tatsuhiko Miyagawa On Wednesday, February 8, 2012 at 6:02 AM, Klaus Ita via RT wrote: Show quoted text
> Queue: Plack-Middleware-ReverseProxy > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=74778 > > > 13:48 <koki> if you ask me, HTTP_HOST and REMOTE_HOST got confused in > P:M::ReverseProxy > 13:48 -!- jnap [~johnn@38.112.1.90 (mailto:johnn@38.112.1.90)] has joined #catalyst > 13:48 -!- mode/#catalyst [+o jnap] by GumbyNET3 > 13:49 <koki> t0m: your opinion on that? > 13:51 <koki> > http://search.cpan.org/~miyagawa/Plack-0.9985/lib/Plack/Request.pm > 13:51 <t0m> right, HTTP_HOST is the vhost name - i.e. the thing you want > to use > to build URIs out of > 13:51 <koki> if you look at the attributes section > 13:55 <koki> imo it's s/HTTP_HOST/REMOTE_HOST/ in line 55 of > P:M:ReverseProxy > 13:56 -!- frew [frew@warpedreality.org (mailto:frew@warpedreality.org)] has quit [Quit: halp I'm drowning] > 13:57 -!- frew [frew@warpedreality.org (mailto:frew@warpedreality.org)] has joined #catalyst > 13:57 -!- mode/#catalyst [+o frew] by GumbyNET4 > 14:01 <t0m> koki: I'm not disagreeing, but I'm afriad I've run out of > tuits to > be looking at it any more in the middle of the work day > 14:01 <koki> ok > 14:01 <koki> sorry ... be blessed with the happyness > 14:02 <koki> it's not crucial, ... not for me > >


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.