[BUG] Remote address not logged properly when running Pythonanywhere

Question

[BUG] Remote address not logged properly when running Pythonanywhere

Closed this issue 2 years ago · 2 comments

jdabtieu commented 2 years ago

Describe the bug

Because of their load balancer, request.remote_addr returns the address of the load balancer

Same happens for Nginx forwarding traffic to Docker

It should return the address of the remote user, but instead, they use request.headers['X-Real-IP'] instead.

Possible Solution

~~Add a check for Pythonanywhere, and overwrite request.remote_addr with the real IP~~
Overwrite request.remote_addr with request.headers['X-Real-IP'] if the app is run under a proxy

works on PythonAnywhere and for Nginx, if it's set (vulnerability if nginx is misconfigured, perhaps we should add something in the docs/settings about this)

Answer 1 · 2023-03-06T00:07:50.000Z

Note that the PYTHONANYWHERE_SITE envvar is only set on PythonAnywhere.

Answer 2 · 2023-03-06T00:09:11.000Z

I think honestly the way to deal with this is to create a middleware to rewrite request.remote_addr to request.header["X-Real-IP"] if the user sets some boolean in the settings