Add a XForwardedForMiddleware middleware (#6922)

It allows authentic to automatically get the real ip when behind
Gunicorn+nginx.

debian-wheezy/debian_config.py

@@ -1,6 +1,10 @@
 import os
 import warnings
 
+
+# Add the XForwardedForMiddleware
+MIDDLEWARE_CLASSES = ('authentic2.middleware.XForwardedForMiddleware',) + MIDDLEWARE_CLASSES
+
 # Debian defaults
 DEBUG = False
 

debian-wheezy/multitenant/debian_config.py

@@ -43,6 +43,7 @@ TEMPLATE_LOADERS = ('hobo.multitenant.template_loader.FilesystemLoader',) + TEMP
 TEMPLATE_CONTEXT_PROCESSORS = ('django.core.context_processors.request',) + TEMPLATE_CONTEXT_PROCESSORS
 
 MIDDLEWARE_CLASSES = (
+    'authentic2.middleware.XForwardedForMiddleware',
     'hobo.multitenant.middleware.TenantMiddleware',
     'hobo.multitenant.middleware.TenantSettingsMiddleware',
 ) + MIDDLEWARE_CLASSES

src/authentic2/middleware.py

@@ -149,3 +149,13 @@ class ViewRestrictionMiddleware(object):
         if view == 'auth_password_change':
             messages.warning(request, _('You must change your password to continue'))
         return utils.redirect_and_come_back(request, view)
+
+class XForwardedForMiddleware():
+    '''Copy the first address from X-Forwarded-For header to the REMOTE_ADDR meta.
+
+       This middleware should only be used if you are sure the header cannot be
+       forged (behind a reverse proxy for example).'''
+    def process_request(self, request):
+        if 'HTTP_X_FORWARDED_FOR' in request.META:
+            request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(",")[0].strip()
+            return None