encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2025-08-04 12:30:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix throttling documentation about Remote-Addr

Browse Source 
There's no such HTTP header called Remote-Addr and the throttling code is indeed not using any HTTP variable to get this.
Instead it is using the WSGI environment variable REMOTE_ADDR, which may be set by the webserver according to configuration. For example, in nginx it is possible to use the nginx_http_realip_module and set it based on any HTTP header, if it comes from a trusted reverse proxy server.

On the other hand, X-Forwarded-For is a valid HTTP header and that's why it is also prefixed with HTTP_ in the request.META object.
This commit is contained in:
Jozef 2017-09-12 12:22:23 +02:00 committed by GitHub
parent a560a49d56
commit 3c6b3d8e97
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/api-guide/throttling.md
View File

@ -68,9 +68,9 @@ Or, if you're using the `@api_view` decorator with function based views.
## How clients are identified
The `X-Forwarded-For` and `Remote-Addr` HTTP headers are used to uniquely identify client IP addresses for throttling. If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `Remote-Addr` header will be used.
The `X-Forwarded-For` HTTP header and `REMOTE_ADDR` WSGI variable are used to uniquely identify client IP addresses for throttling. If the `X-Forwarded-For` header is present then it will be used, otherwise the value of the `REMOTE_ADDR` variable from the WSGI environment will be used.
If you need to strictly identify unique client IP addresses, you'll need to first configure the number of application proxies that the API runs behind by setting the `NUM_PROXIES` setting. This setting should be an integer of zero or more. If set to non-zero then the client IP will be identified as being the last IP address in the `X-Forwarded-For` header, once any application proxy IP addresses have first been excluded. If set to zero, then the `Remote-Addr` header will always be used as the identifying IP address.
If you need to strictly identify unique client IP addresses, you'll need to first configure the number of application proxies that the API runs behind by setting the `NUM_PROXIES` setting. This setting should be an integer of zero or more. If set to non-zero then the client IP will be identified as being the last IP address in the `X-Forwarded-For` header, once any application proxy IP addresses have first been excluded. If set to zero, then the `REMOTE_ADDR` value will always be used as the identifying IP address.
It is important to understand that if you configure the `NUM_PROXIES` setting, then all clients behind a unique [NAT'd](http://en.wikipedia.org/wiki/Network_address_translation) gateway will be treated as a single client.