From 09cdc3e176b0977e0b96542eb2fb467ecf5e34c2 Mon Sep 17 00:00:00 2001
From: Klaas van Schelven <klaas@vanschelven.com>
Date: Fri, 25 Jul 2025 17:09:50 +0200
Subject: [PATCH] Add note about IP addresses in X-Forwarded-For headers

---
 bugsink/middleware.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bugsink/middleware.py b/bugsink/middleware.py
index 2d5674e..3578fd3 100644
--- a/bugsink/middleware.py
+++ b/bugsink/middleware.py
@@ -89,6 +89,11 @@ class SetRemoteAddrMiddleware:
 
     @staticmethod
     def parse_x_forwarded_for(header_value):
+        # NOTE: our method parsing _does not_ remove port numbers from the X-Forwarded-For header; such setups are rare
+        # (but legal according to the spec) but [1] we don't recommend them and [2] we recommend X-Real-IP over
+        # X-Forwarded-For anyway.
+        # https://serverfault.com/questions/753682/iis-server-farm-with-arr-why-does-http-x-forwarded-for-have-a-port-nu
+
         if header_value in [None, ""]:
             # The most typical misconfiguration is to forget to set the header at all, or to have it be empty. In that
             # case, we'll just set the IP to None, which will mean some data will be missing from your events (but
@@ -116,6 +121,7 @@ class SetRemoteAddrMiddleware:
 
     def __call__(self, request):
         if settings.USE_X_REAL_IP:
+            # NOTE: X-Real-IP never contains a port number AFAICT by searching online so the below is IP-only:
             request.META["REMOTE_ADDR"] = request.META.get("HTTP_X_REAL_IP", None)
 
         elif settings.USE_X_FORWARDED_FOR:  # elif: X-Real-IP / X-Forwarded-For are mutually exclusive