[Chicken-users] spiffy, remote-address, X-Forwarded-For

[John J Foerch]

Hello,

I have a feature request for spiffy.

The background: I set up an awful-based web app behind an apache2
reverse proxy.  Awful/spiffy is listening locally on port 8080, and
apache2 delivers requests to it via mod_rewrite with the [P] (proxy)
flag.

Under this configuration, the spiffy call (remote-address) always
returns "127.0.0.1", because all requests come from the reverse proxy.
However, the true client's IP can be gotten from the http header,
X-Forwarded-For.  My request is that an option be added to spiffy such
that 'remote-address' could make use of the X-Forwarded-For header to
return the true client's IP under this kind of setup.  It should not be
enabled by default, because using it reliably requires the administrator
to configure the list of known proxies which are to be ignored.

X-Forwarded-For may contain a list of IPs, in the case that the request
has been proxied more than once.  The IPs are separated by ", " with the
last being the most recent.  Ideally, the user could give the list of
known proxies in the server config, and 'remote-address' would skip over
these IPs when searching through X-Forwarded-For for the true client IP.

In my app, for example, I wrote the following procedure to use instead
of 'remote-address', to filter out the one reverse proxy address:

  (define (remote-address-beyond-rproxy)
    (let ((r (remote-address)))
      (if (equal? r "127.0.0.1")
          (let ((xff (header-values
                      'x-forwarded-for
                      (request-headers (current-request)))))
            (if (null? xff)
                r
                (last (string-split (car xff) " ,"))))
          r)))

If spiffy had an option as I described above, it would be that much
easier to use in situations where it is the secondary server.

Thank you.

-- 
John Foerch