Web Software Architecture and Engineering – Life on the Bleeding Edge

CGI Facade?! I’m sure you are saying, I’ve heard of a Session Facade, but why a CGI Facade…
Well, simple really. Web Servers are evolving, and sooner or later, you’ll put a device or a server in between you firewall and your web server, like a clustering device or a reverse proxy like my current favorite, NGINX (see previous post for details).
NGINX, for example, will accept http requests on port 80, and forward them to your web server. In doing so, the web server thinks the request is coming from NGINX and not from the outside world. Your CGI vars, notably REMOTE_ADDR and REMOTE_HOST will get skewed with the IP of NGINX. A lot of times you will run NGINX on the same physical server and the CGI variables will start displaying 127.0.0.1.
This can be a problem. For example, you may be using the IP for logging, or for configuration based on the dev environment. ColdFusion is not smart enough to know who the original requester is. But its only partially at fault.
When NGINX gets the request, as you’ll see from sample configs, it DOES pass who the original requester is. It creates new HTTP headers and passes them off to the web server. Here are two lines, see if you can follow:
proxy_set_header    X-Real-IP       $remote_addr;
proxy_set_header    X-Forwarded_For $proxy_add_x_forwarded_for;
As you can see, its adding two headers: “X-Real-IP” and “X-Forwarded_For” with the IP of the requester. In your CGI Facade, you don’t want to rely on REMOTE_ADDR and REMOTE_HOST, and instead, if the header has these values, pass them instead for whatever use case you may have. In face I would recommend you do that now so as to future proof your apps.
This is not a new problem. Many people are familiar with SQUID, and that too sets headers as it proxies. So get to it!

Advertisements

Comments on: "CGI Facade – Why You Should Use One" (7)

  1. David Boyer said:

    This is a good post. I think a lot of people forget to check for the X-Forwarded_For in their code and then have problems when it comes to things like blocking users by IP.

  2. “like a clustering device or a reverse proxy like my current favorite,”

    I first read that as “Cluttering device”, and my thought was that we have a ton of those around our network 🙂

    I usually roll both my CGI and Server values together into a single “Server” facade.

  3. It the same for HAProxy (an excellent solution for load balancing, very popular among Amazon EC2 users) : you need to add “option forwardfor” in your conf to get the header X-Forwared_for header.

  4. Akash Bavlecha said:

    I’m really confused about fetching real IP address.I have used following lines in my code. Still i face the same problem.

    Using this code still i am getting the wrong IP address. I think proxy it self has the ability to set its address in header for HTTP forwarded Variable. It seems its not actually set in ‘CGI.HTTP_X_Forwarded_For’. I’m getting blank value every time even if i use proxy.

    Any help will be appreciated.

  5. Akash,

    You need to look at the http headers, not CGI for HTTP_X_FORWARDED_FOR.

    Also, as a matter of coding standards, its better to do:
    cfif len(trim(variable.x)) or structKeyExists(variables, “x”) vs EQ “”.

    Best of luck.

  6. Akash Bavlecha said:

    Thanks Sami,

    Moreover,I need to check into http headers not in cgi variables.I have tried to get http header variables. It was giving me a error with code 503.

    Can you please show me a syntax to retrieve ip from http headers.

  7. Akash,

    Ben Nadel is your friend.

    See his site:
    http://www.bennadel.com/blog/1425-Getting-Header-Values-From-A-ColdFusion-Request.htm

    His site will give you a lot of tips and tricks.

    Sami

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: