Assigned
Status Update
No update yet.
Comments
as...@thisistemporary.com
Hello,
Thank you for reaching out to us!
This issue seems to be outside of the scope of Issue Tracker. This Issue Tracker is a forum for end users to report bugs and request features on Google Cloud products. Please go through
I recommend you to
For now, I'm going to close this thread which will no longer be monitored. In case you want to report a new issue, please do not hesitate to create a new Issue Tracker describing your issue.
Thank you!
sc...@google.com
al...@gmail.com
Because the X-Forwarded-For header can be easily spoofed, we may need to know the location of both the proxy and the real user behind it.
If we trust the proxy (suppose it's our own reverse proxy) or just don't care, we prefer to know where the real user is. If we don't trust the proxy (e.g. trying to mitigate a DDoS attack coming from a country-specific botnet or to comply with the international copyright law), we may want to know where the proxy is (because the "proxy" may turn out to be an attacker's zombie with no real user behind it).
Now, a request may be forwarded more than once, first by an untrusted proxy, then by our own trusted reverse proxy. So instead of proliferating the X-AppEngine headers, you could implement a lightweight geolocation API that does not incur the cost of a URLFetch request.
The API can be designed so that a request to geolocate several IP addresses from the same request handler causes only one network request to the API.
geolocate("1.2.3.4") --> ("us", "ca", "mountain view")
geolocate_many(["1.2.3.4", "5.6.7.8"]) -->
[("us", "ca", "mountain view"), ("ru", "", "moscow")]
If we trust the proxy (suppose it's our own reverse proxy) or just don't care, we prefer to know where the real user is. If we don't trust the proxy (e.g. trying to mitigate a DDoS attack coming from a country-specific botnet or to comply with the international copyright law), we may want to know where the proxy is (because the "proxy" may turn out to be an attacker's zombie with no real user behind it).
Now, a request may be forwarded more than once, first by an untrusted proxy, then by our own trusted reverse proxy. So instead of proliferating the X-AppEngine headers, you could implement a lightweight geolocation API that does not incur the cost of a URLFetch request.
The API can be designed so that a request to geolocate several IP addresses from the same request handler causes only one network request to the API.
geolocate("1.2.3.4") --> ("us", "ca", "mountain view")
geolocate_many(["1.2.3.4", "5.6.7.8"]) -->
[("us", "ca", "mountain view"), ("ru", "", "moscow")]
la...@gmail.com
Not just proxy. I just found out that while I'm using a 6in4 ipv6 address provided by a tunnel broker, the X-AppEngine-Country would be the country where the tunnel broker locates. There should be a better way to figure out where the user actually comes from, as my ipv6 address doesn't seem to able to fool those geo-locked web tv sites.
zs...@gmail.com
is this issue fixed ?
ub...@gmail.com
For what it's worth, here is some related infoI: In the specific case of claudflare, the header CF-Connecting-IP indeed carries the real IP of the user. Other CF headers such as CF-IPCountry provide the country (as deemed by CF) as well.
The issue is not fixed in the sense that request.remote_addr's value, in this example, is the IP of CF servers/
Also, FYI, X-Forwarding-For carries the same IP as CF-Connecting-IP, so al least in this situation, the X-Forwardiing-For would help. Now, if a transparent proxy sits in front of claudflare I dont' know where there is a way to detect that.
The issue is not fixed in the sense that request.remote_addr's value, in this example, is the IP of CF servers/
Also, FYI, X-Forwarding-For carries the same IP as CF-Connecting-IP, so al least in this situation, the X-Forwardiing-For would help. Now, if a transparent proxy sits in front of claudflare I dont' know where there is a way to detect that.
st...@gmail.com
Maybe Google wants us to use (and pay) for PageSpeed and not just use Cloudflare for free...
st...@gmail.com
Workaround for Cloudflare:
- use a separate subdomain for your assets (javascript, css etc.)
- enable Cloudflare to proxy/cache ONLY the assets domain, not www
This allows you to still use the Geo headers for the site requests but have CF cache the assets. Solves the issue for me :)
- use a separate subdomain for your assets (javascript, css etc.)
- enable Cloudflare to proxy/cache ONLY the assets domain, not www
This allows you to still use the Geo headers for the site requests but have CF cache the assets. Solves the issue for me :)
mu...@gmail.com
This needs to be fixed at least for Appengine and Cloudflare.
I guess since 2012 something could have been figured out?
At least post in this issue how to get the geolocation from an String IP, so we can do it manually.
I guess since 2012 something could have been figured out?
At least post in this issue how to get the geolocation from an String IP, so we can do it manually.
re...@gmail.com
You can use the MaxMind geoip databases to do a lookup. You'll have to download one of the database files, upload it with your application code, and write code to load it.
Here's a geoip lib written in pure python that can parse the data for you.
https://github.com/appliedsec/pygeoip
Then you can use this middleware class to fix the IP that self.request.remote_addr reports.
class ReverseProxyMiddleware(object):
def __init__(self, application):
self.application = application
def __call__(self, environ, start_response):
real_host = environ.get('HTTP_X_REAL_HOST') or environ.get('HTTP_X_FORWARDED_SERVER')
if real_host:
environ['HTTP_HOST'] = real_host
environ['SERVER_NAME'] = real_host
real_ip = environ.get('HTTP_X_REAL_IP') or environ.get('HTTP_X_FORWARDED_FOR')
if real_ip:
environ['REMOTE_ADDR'] = real_ip
return self.application(environ, start_response)
application = ReverseProxyMiddleware(application)
Here's a geoip lib written in pure python that can parse the data for you.
Then you can use this middleware class to fix the IP that self.request.remote_addr reports.
class ReverseProxyMiddleware(object):
def __init__(self, application):
self.application = application
def __call__(self, environ, start_response):
real_host = environ.get('HTTP_X_REAL_HOST') or environ.get('HTTP_X_FORWARDED_SERVER')
if real_host:
environ['HTTP_HOST'] = real_host
environ['SERVER_NAME'] = real_host
real_ip = environ.get('HTTP_X_REAL_IP') or environ.get('HTTP_X_FORWARDED_FOR')
if real_ip:
environ['REMOTE_ADDR'] = real_ip
return self.application(environ, start_response)
application = ReverseProxyMiddleware(application)
[Deleted User] <[Deleted User]>
Is there any update on this issue / timeline for when it might get implemented? Using geoip could be a reasonable workaround except you have to manage updating it and running this extra code on each request - would be great to be able to use the appengine one with a proxy (we've had to move to a proxy, cloudflare, now that pagespeed is deprecated).
tj...@gmail.com
Any updates? I agree that it'd be nicer to use the app engine headers.
ol...@gmail.com
Still no updates?
sc...@google.com
er...@feomedia.com
This is still something that would be very useful.
ya...@google.com
al...@ocoboco.com
Are there any updates?
Description
Please preferentially use the X-Forwarded-For header, falling back to the real IP address. Thanks!