Clean up XForwardedForMiddleware #36075
Comments
1 task
|
We should consider adding observability (maybe even a utility) for monitoring if a getter is called to know whether anyone is calling |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
XForwardedForMiddleware in edxapp contains several pieces of code relating to IP addresses.
The most recent part of the code (closest to the top, in that permalink) uses edx-django-utils to make various information about the client IP chain available to the application. This is currently working as desired, although it might not be the best place for it. However, the oldest part assumes there is only one true client IP, and then uses that to overwrite
request.META['REMOTE_ADDR']. We'd like to delete this part, since it creates an incorrect and inconsistent view of the IP chain. This needs to be removed before the newer code can properly be extracted to a utility module somewhere—it overwrites information that the newer block needs to read. That order dependence is fragile.In between, there's also some code that copies some values in
request.METAto new names, for a past Gunicorn upgrade. This will need to be carefully evaluated to determine whether it is still needed, and what to do with it. (Caution: Thefieldandheadervariable names might be reversed here.) At the very least we'll want to expand the comments.Acceptance criteria:
REMOTE_ADDRor other code that thinks it has the "real client IP" and isn't already using theedx_django_utils.iputilsrequest.META['REMOTE_ADDR']ip.init_client_ips, instrumentation) into a edx-django-utils middleware, and use that middleware insteadrequest.METAfield copying/renaming (delete? document better?)Notes:
The text was updated successfully, but these errors were encountered: