From 85d857d7116dc58cd979650c5dc8b803c660a338 Mon Sep 17 00:00:00 2001 From: Hans Kristian Flaatten Date: Thu, 21 May 2015 11:15:17 +0200 Subject: [PATCH] Document why `REMOTE_ADD` may not be the user's IP Gunicorn v19 removed functionality which updated `REMOTE_ADDR` to the value of the `X-Forwared-For` header if received from a trusted upstream client. This was a violation of RFC 3875 CGI Version 1.1, and was hence removed. Close: #1035 PR-URL: #1037 Related: #633 Signed-off-by: Hans Kristian Flaatten --- docs/source/deploy.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/source/deploy.rst b/docs/source/deploy.rst index 715d4336..c809223b 100644 --- a/docs/source/deploy.rst +++ b/docs/source/deploy.rst @@ -111,6 +111,21 @@ Gunicorn may come from untrusted proxies or directly from clients since the application may be tricked into serving SSL-only content over an insecure connection. +Gunicorn v19 introduced a breaking change concerning how ``REMOTE_ADDR`` is +handled. Previous to Gunicorn v19 this was set to the value of +``X-Forwarded-For`` if recieved from a trusted proxy. However, this was not in +compliance with `RFC 3875 CGI Version 1.1 `_ +which is why the ``REMOTE_ADDR`` is now the IP address of **the proxy** and +**not the actual user**. You should instead configure Nginx to send the user's +IP address through the ``X-Forwarded-For`` header like this:: + + ... + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ... + +It is also worth noting that the ``REMOTE_ADDR`` will be completely empty if you +bind Gunicorn to a unix socket and not a tcp host:port tuple. + Using Virtualenv ================