From e35acb094271d385268147b1583c725a108f2e26 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Thu, 9 Apr 2015 12:45:11 +0200
Subject: [PATCH 1/3] Add a XForwardedForMiddleware middleware (#6922)

It allows authentic to automatically get the real ip when behind
Gunicorn+nginx.
---
 debian-wheezy/debian_config.py             |  4 ++++
 debian-wheezy/multitenant/debian_config.py |  1 +
 src/authentic2/middleware.py               | 10 ++++++++++
 3 files changed, 15 insertions(+)

diff --git a/debian-wheezy/debian_config.py b/debian-wheezy/debian_config.py
index a9c123f..6883eed 100644
--- a/debian-wheezy/debian_config.py
+++ b/debian-wheezy/debian_config.py
@@ -1,11 +1,15 @@
 import os
 import warnings
 
+
+# Add the XForwardedForMiddleware
+MIDDLEWARE_CLASSES = ('authentic2.middleware.XForwardedForMiddleware',) + MIDDLEWARE_CLASSES
+
 # Debian defaults
 DEBUG = False
 
 STATIC_ROOT = '/var/lib/authentic2/collectstatic/'
 STATICFILES_DIRS = ('/var/lib/authentic2/static',) + STATICFILES_DIRS
 TEMPLATE_DIRS = ('/var/lib/authentic2/templates',) + TEMPLATE_DIRS
 
 ADMINS = (('root', 'root@localhost'),)
diff --git a/debian-wheezy/multitenant/debian_config.py b/debian-wheezy/multitenant/debian_config.py
index d6264ba..aa97532 100644
--- a/debian-wheezy/multitenant/debian_config.py
+++ b/debian-wheezy/multitenant/debian_config.py
@@ -38,16 +38,17 @@ TENANT_APPS = INSTALLED_APPS
 
 INSTALLED_APPS = ('hobo.multitenant', 'hobo.agent.authentic2') + INSTALLED_APPS
 
 TEMPLATE_LOADERS = ('hobo.multitenant.template_loader.FilesystemLoader',) + TEMPLATE_LOADERS
 
 TEMPLATE_CONTEXT_PROCESSORS = ('django.core.context_processors.request',) + TEMPLATE_CONTEXT_PROCESSORS
 
 MIDDLEWARE_CLASSES = (
+    'authentic2.middleware.XForwardedForMiddleware',
     'hobo.multitenant.middleware.TenantMiddleware',
     'hobo.multitenant.middleware.TenantSettingsMiddleware',
 ) + MIDDLEWARE_CLASSES
 
 TENANT_SETTINGS_LOADERS = (
     'hobo.multitenant.settings_loaders.TemplateVars',
     'hobo.multitenant.settings_loaders.Authentic',
 )
diff --git a/src/authentic2/middleware.py b/src/authentic2/middleware.py
index 70345e5..88fc8f8 100644
--- a/src/authentic2/middleware.py
+++ b/src/authentic2/middleware.py
@@ -144,8 +144,18 @@ class ViewRestrictionMiddleware(object):
     def process_view(self, request, view_func, view_args, view_kwargs):
         '''If current view is not the one we should be, redirect'''
         view = self.check_view_restrictions(request)
         if not view or request.resolver_match.url_name in (view, 'auth_logout'):
             return
         if view == 'password_change':
             messages.warning(request, _('You must change your password to continue'))
         return utils.redirect_and_come_back(request, view)
+
+class XForwardedForMiddleware():
+    '''Copy the first address from X-Forwarded-For header to the REMOTE_ADDR meta.
+
+       This middleware should only be used if you are sure the header cannot be
+       forged (behind a reverse proxy for example).'''
+    def process_request(self, request):
+        if 'HTTP_X_FORWARDED_FOR' in request.META:
+            request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(",")[0].strip()
+            return None
-- 
1.9.1