Understanding how NUM_PROXIES works

[andialbrecht]

Hi there, I'm not sure if I fully understand how NUM_PROXIES for throttling works.

According to the documentation and #3234 using NUM_PROXIES should work as follows:

When we have this information in X-Forwarded-For ip1, ip2, proxy1, proxy2 and NUM_PROXIES is set to 2, then ip2 should be returned. Is this correct?

If so, then the test cases for spoofing look wrong. In the test cases we have the following setup code:

django-rest-framework/tests/test_throttling.py

Lines 396 to 397 in 589b5dc

	self.request.META['REMOTE_ADDR'] = '3.3.3.3'
	self.request.META['HTTP_X_FORWARDED_FOR'] = '0.0.0.0, 1.1.1.1, 2.2.2.2'

Rate is limited to 1 request per day, so that only one request from the same IP is accepted and all following requests are denied. I left this out from the snippet to focus on the relevant parts.

This is the test case:

django-rest-framework/tests/test_throttling.py

Lines 414 to 419 in 589b5dc

	class XffSpoofingTests(XffTestingBase):
	def test_xff_spoofing_doesnt_change_machine_id_with_one_app_proxy(self):
	self.config_proxy(1)
	self.view(self.request)
	self.request.META['HTTP_X_FORWARDED_FOR'] = '4.4.4.4, 5.5.5.5, 2.2.2.2'
	assert self.view(self.request).status_code == 429

NUM_PROXIES is set to 1 (line 416). Then the first request is sent. Since NUM_PROXIES is 1 the relevant IP address should be taken from HTTP_X_FORWARDED_FOR, excluding one proxy (2.2.2.2) and therefore should be 1.1.1.1. Even if it isn't explicitly checked in the test, the request should be accepted as it is the first from this IP.

Then in line 418 the X-Forwarded-For header is modified. The first IP after the proxy 2.2.2.2 now is 5.5.5.5 and a new request is sent to the view. The test passes if this request will be rejected. But since this is the first request from IP 5.5.5.5 I'd expect that the request is accepted instead.

Looking at the implementation of get_ident it looks suspicious too:

django-rest-framework/rest_framework/throttling.py

Lines 36 to 38 in 589b5dc

	addrs = xff.split(',')
	client_addr = addrs[-min(num_proxies, len(addrs))]
	return client_addr.strip()

When num_proxies is 1 and addrs is, let's say, "ip1, ip2, proxy1, proxy2" line 37 then identifies addrs[-1] (addrs[-min(num_proxies, len(addrs))]) as the client address. The last element in the list, which is the proxy itself.

Those code parts haven't changed for about a decade. That's why I'm really not sure, if I totally misunderstand how it's supposed to work ;)

[andialbrecht]

Ah, the problem was on my side! First I counted the number of proxies in my environment wrong, I've missed one. And second I've missed the fact that the last proxy isn't in X-Forwarded-For, of course!

Closing this discussion, but I hope it saves some time for others when struggling with similar problems.