Made an application for supporting sustainable local businesses in San Pancho.
Never really got completed, but it has some useful Svelte components for maps that we can reuse.
http://greenspots.dctrl.space
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
187 lines
6.8 KiB
187 lines
6.8 KiB
""" |
|
X-Forwarded-For Proxy Fix |
|
========================= |
|
|
|
This module provides a middleware that adjusts the WSGI environ based on |
|
``X-Forwarded-`` headers that proxies in front of an application may |
|
set. |
|
|
|
When an application is running behind a proxy server, WSGI may see the |
|
request as coming from that server rather than the real client. Proxies |
|
set various headers to track where the request actually came from. |
|
|
|
This middleware should only be used if the application is actually |
|
behind such a proxy, and should be configured with the number of proxies |
|
that are chained in front of it. Not all proxies set all the headers. |
|
Since incoming headers can be faked, you must set how many proxies are |
|
setting each header so the middleware knows what to trust. |
|
|
|
.. autoclass:: ProxyFix |
|
|
|
:copyright: 2007 Pallets |
|
:license: BSD-3-Clause |
|
""" |
|
import typing as t |
|
|
|
from ..http import parse_list_header |
|
|
|
if t.TYPE_CHECKING: |
|
from _typeshed.wsgi import StartResponse |
|
from _typeshed.wsgi import WSGIApplication |
|
from _typeshed.wsgi import WSGIEnvironment |
|
|
|
|
|
class ProxyFix: |
|
"""Adjust the WSGI environ based on ``X-Forwarded-`` that proxies in |
|
front of the application may set. |
|
|
|
- ``X-Forwarded-For`` sets ``REMOTE_ADDR``. |
|
- ``X-Forwarded-Proto`` sets ``wsgi.url_scheme``. |
|
- ``X-Forwarded-Host`` sets ``HTTP_HOST``, ``SERVER_NAME``, and |
|
``SERVER_PORT``. |
|
- ``X-Forwarded-Port`` sets ``HTTP_HOST`` and ``SERVER_PORT``. |
|
- ``X-Forwarded-Prefix`` sets ``SCRIPT_NAME``. |
|
|
|
You must tell the middleware how many proxies set each header so it |
|
knows what values to trust. It is a security issue to trust values |
|
that came from the client rather than a proxy. |
|
|
|
The original values of the headers are stored in the WSGI |
|
environ as ``werkzeug.proxy_fix.orig``, a dict. |
|
|
|
:param app: The WSGI application to wrap. |
|
:param x_for: Number of values to trust for ``X-Forwarded-For``. |
|
:param x_proto: Number of values to trust for ``X-Forwarded-Proto``. |
|
:param x_host: Number of values to trust for ``X-Forwarded-Host``. |
|
:param x_port: Number of values to trust for ``X-Forwarded-Port``. |
|
:param x_prefix: Number of values to trust for |
|
``X-Forwarded-Prefix``. |
|
|
|
.. code-block:: python |
|
|
|
from werkzeug.middleware.proxy_fix import ProxyFix |
|
# App is behind one proxy that sets the -For and -Host headers. |
|
app = ProxyFix(app, x_for=1, x_host=1) |
|
|
|
.. versionchanged:: 1.0 |
|
Deprecated code has been removed: |
|
|
|
* The ``num_proxies`` argument and attribute. |
|
* The ``get_remote_addr`` method. |
|
* The environ keys ``orig_remote_addr``, |
|
``orig_wsgi_url_scheme``, and ``orig_http_host``. |
|
|
|
.. versionchanged:: 0.15 |
|
All headers support multiple values. The ``num_proxies`` |
|
argument is deprecated. Each header is configured with a |
|
separate number of trusted proxies. |
|
|
|
.. versionchanged:: 0.15 |
|
Original WSGI environ values are stored in the |
|
``werkzeug.proxy_fix.orig`` dict. ``orig_remote_addr``, |
|
``orig_wsgi_url_scheme``, and ``orig_http_host`` are deprecated |
|
and will be removed in 1.0. |
|
|
|
.. versionchanged:: 0.15 |
|
Support ``X-Forwarded-Port`` and ``X-Forwarded-Prefix``. |
|
|
|
.. versionchanged:: 0.15 |
|
``X-Forwarded-Host`` and ``X-Forwarded-Port`` modify |
|
``SERVER_NAME`` and ``SERVER_PORT``. |
|
""" |
|
|
|
def __init__( |
|
self, |
|
app: "WSGIApplication", |
|
x_for: int = 1, |
|
x_proto: int = 1, |
|
x_host: int = 0, |
|
x_port: int = 0, |
|
x_prefix: int = 0, |
|
) -> None: |
|
self.app = app |
|
self.x_for = x_for |
|
self.x_proto = x_proto |
|
self.x_host = x_host |
|
self.x_port = x_port |
|
self.x_prefix = x_prefix |
|
|
|
def _get_real_value(self, trusted: int, value: t.Optional[str]) -> t.Optional[str]: |
|
"""Get the real value from a list header based on the configured |
|
number of trusted proxies. |
|
|
|
:param trusted: Number of values to trust in the header. |
|
:param value: Comma separated list header value to parse. |
|
:return: The real value, or ``None`` if there are fewer values |
|
than the number of trusted proxies. |
|
|
|
.. versionchanged:: 1.0 |
|
Renamed from ``_get_trusted_comma``. |
|
|
|
.. versionadded:: 0.15 |
|
""" |
|
if not (trusted and value): |
|
return None |
|
values = parse_list_header(value) |
|
if len(values) >= trusted: |
|
return values[-trusted] |
|
return None |
|
|
|
def __call__( |
|
self, environ: "WSGIEnvironment", start_response: "StartResponse" |
|
) -> t.Iterable[bytes]: |
|
"""Modify the WSGI environ based on the various ``Forwarded`` |
|
headers before calling the wrapped application. Store the |
|
original environ values in ``werkzeug.proxy_fix.orig_{key}``. |
|
""" |
|
environ_get = environ.get |
|
orig_remote_addr = environ_get("REMOTE_ADDR") |
|
orig_wsgi_url_scheme = environ_get("wsgi.url_scheme") |
|
orig_http_host = environ_get("HTTP_HOST") |
|
environ.update( |
|
{ |
|
"werkzeug.proxy_fix.orig": { |
|
"REMOTE_ADDR": orig_remote_addr, |
|
"wsgi.url_scheme": orig_wsgi_url_scheme, |
|
"HTTP_HOST": orig_http_host, |
|
"SERVER_NAME": environ_get("SERVER_NAME"), |
|
"SERVER_PORT": environ_get("SERVER_PORT"), |
|
"SCRIPT_NAME": environ_get("SCRIPT_NAME"), |
|
} |
|
} |
|
) |
|
|
|
x_for = self._get_real_value(self.x_for, environ_get("HTTP_X_FORWARDED_FOR")) |
|
if x_for: |
|
environ["REMOTE_ADDR"] = x_for |
|
|
|
x_proto = self._get_real_value( |
|
self.x_proto, environ_get("HTTP_X_FORWARDED_PROTO") |
|
) |
|
if x_proto: |
|
environ["wsgi.url_scheme"] = x_proto |
|
|
|
x_host = self._get_real_value(self.x_host, environ_get("HTTP_X_FORWARDED_HOST")) |
|
if x_host: |
|
environ["HTTP_HOST"] = environ["SERVER_NAME"] = x_host |
|
# "]" to check for IPv6 address without port |
|
if ":" in x_host and not x_host.endswith("]"): |
|
environ["SERVER_NAME"], environ["SERVER_PORT"] = x_host.rsplit(":", 1) |
|
|
|
x_port = self._get_real_value(self.x_port, environ_get("HTTP_X_FORWARDED_PORT")) |
|
if x_port: |
|
host = environ.get("HTTP_HOST") |
|
if host: |
|
# "]" to check for IPv6 address without port |
|
if ":" in host and not host.endswith("]"): |
|
host = host.rsplit(":", 1)[0] |
|
environ["HTTP_HOST"] = f"{host}:{x_port}" |
|
environ["SERVER_PORT"] = x_port |
|
|
|
x_prefix = self._get_real_value( |
|
self.x_prefix, environ_get("HTTP_X_FORWARDED_PREFIX") |
|
) |
|
if x_prefix: |
|
environ["SCRIPT_NAME"] = x_prefix |
|
|
|
return self.app(environ, start_response)
|
|
|