On Thu, 02 Nov 2006 11:15:56 -0700, "Robert J. Macomber" tbnl@rojoma.com wrote:
The real-remote-addr function currently returns the value of the x-forwarded-for header if it's set, or remote-addr if it's not. In the case of chains of proxies, this gives unexpected results as each proxy appends the address it's proxying for onto the end of the list.
Since I imagine this function is intended to be used in situations where Hunchentoot is sitting behind proxies of its own, I've written a function to split things up to give a particular entry in this chain. Most of the time, I imagine you'd just want the address added by the closest proxy but if (for example) you're behind mod_proxy behind squid, this function can tell you the address of the agent that hit the squid server.
Hmm, I see the problem, but that actually wasn't the only situation this was written for. I also imagined proxies I wouldn't have control of like those used by, say, AOL customers. To be honest, I didn't even know that chained proxies will add to the XFF header instead of just replacing it. Is this behaviour specified somewhere?
Anyway, I was thinking that maybe a better API would look like this:
1. If there is no XFF header, return REMOTE-ADDR as it is now.
2. If there is a XFF header, return two values - the second one is a list of all IP addresses in the header, the first one is the last element of this list.
How about that?
Cheers, Edi.