diff options
Diffstat (limited to 'webapp/django/middleware/http.py')
-rw-r--r-- | webapp/django/middleware/http.py | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/webapp/django/middleware/http.py b/webapp/django/middleware/http.py new file mode 100644 index 0000000000..53b65c1034 --- /dev/null +++ b/webapp/django/middleware/http.py @@ -0,0 +1,55 @@ +from django.utils.http import http_date + +class ConditionalGetMiddleware(object): + """ + Handles conditional GET operations. If the response has a ETag or + Last-Modified header, and the request has If-None-Match or + If-Modified-Since, the response is replaced by an HttpNotModified. + + Also sets the Date and Content-Length response-headers. + """ + def process_response(self, request, response): + response['Date'] = http_date() + if not response.has_header('Content-Length'): + response['Content-Length'] = str(len(response.content)) + + if response.has_header('ETag'): + if_none_match = request.META.get('HTTP_IF_NONE_MATCH', None) + if if_none_match == response['ETag']: + # Setting the status is enough here. The response handling path + # automatically removes content for this status code (in + # http.conditional_content_removal()). + response.status_code = 304 + + if response.has_header('Last-Modified'): + if_modified_since = request.META.get('HTTP_IF_MODIFIED_SINCE', None) + if if_modified_since == response['Last-Modified']: + # Setting the status code is enough here (same reasons as + # above). + response.status_code = 304 + + return response + +class SetRemoteAddrFromForwardedFor(object): + """ + Middleware that sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, if the + latter is set. This is useful if you're sitting behind a reverse proxy that + causes each request's REMOTE_ADDR to be set to 127.0.0.1. + + Note that this does NOT validate HTTP_X_FORWARDED_FOR. If you're not behind + a reverse proxy that sets HTTP_X_FORWARDED_FOR automatically, do not use + this middleware. Anybody can spoof the value of HTTP_X_FORWARDED_FOR, and + because this sets REMOTE_ADDR based on HTTP_X_FORWARDED_FOR, that means + anybody can "fake" their IP address. Only use this when you can absolutely + trust the value of HTTP_X_FORWARDED_FOR. + """ + def process_request(self, request): + try: + real_ip = request.META['HTTP_X_FORWARDED_FOR'] + except KeyError: + return None + else: + # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The + # client's IP will be the first one. + real_ip = real_ip.split(",")[0].strip() + request.META['REMOTE_ADDR'] = real_ip |