On Mar 20, 2017, at 11:30 AM, Tom Most <tommost@gmail.com> wrote:

If Twisted is to support this in any way, I think that it should be opt-in support for the Forwarded header as specified in RFC 7239. This should be a parameter applicable to all of twisted.web.server rather than per-method call, since it's something the administrator needs to set.

I'm generally in agreement with this. Further, we should probably have some notion of authentication, i.e. Site(..., trustForwardedForFrom=[...]), where [...] could be, let's say a twisted.internet.ssl.Certificate representing a client CA to check client connections from, or a list of twisted.internet.address.IPv4Address objects naming servers on a network we can trust. Effectively building in authentication to this layer is important (and since twisted is a web _server_ and not a web framework, more generally possible than e.g. Django).