|
1 | | -"""Boilerplate project module.""" |
| 1 | +"""WSGI ProxyFix middleware.""" |
2 | 2 |
|
3 | | -HELLO = "hello world" |
| 3 | +import typing as t |
| 4 | +from ipaddress import ip_address |
| 5 | + |
| 6 | + |
| 7 | +def _split(string): |
| 8 | + return string.split(",") if string else [] |
| 9 | + |
| 10 | + |
| 11 | +class ProxyFix: |
| 12 | + """This is a slightly modified version of werkzeug's ProxyFix. |
| 13 | +
|
| 14 | + Instead of using a fixed number of proxies it uses a list of trusted IP |
| 15 | + addresses. |
| 16 | +
|
| 17 | + This middleware can be applied to add HTTP proxy support to an |
| 18 | + application that was not designed with HTTP proxies in mind. It |
| 19 | + sets `REMOTE_ADDR`, `HTTP_HOST` from `X-Forwarded` headers. |
| 20 | +
|
| 21 | + The original values of `REMOTE_ADDR` and `HTTP_HOST` are stored in |
| 22 | + the WSGI environment as `werkzeug.proxy_fix.orig_remote_addr` and |
| 23 | + `werkzeug.proxy_fix.orig_http_host`. |
| 24 | +
|
| 25 | + Args: |
| 26 | + proxies: List of IP-addreses which’s X-Forwarded headers should be trusted. |
| 27 | + """ |
| 28 | + |
| 29 | + @classmethod |
| 30 | + def from_config(cls, config_getter: t.Callable[[str, t.Any], t.Any]): |
| 31 | + """Create a new instance from a config getter function.""" |
| 32 | + return cls(config_getter("PROXYFIX_TRUSTED", ["127.0.0.1"])) |
| 33 | + |
| 34 | + def __init__(self, proxies: t.Iterable[str]): |
| 35 | + """Create a new instance by passing the list of trusted proxies.""" |
| 36 | + self.trusted = frozenset(ip_address(p.strip()) for p in proxies) |
| 37 | + |
| 38 | + def get_remote_addr(self, forwarded_for: list[str]): |
| 39 | + """Select the first “untrusted” remote addr. |
| 40 | +
|
| 41 | + Values to X-Forwarded-For are expected to be appended so the inner proxy layers are to the |
| 42 | + right. The innermost untrusted IP is returned. |
| 43 | + """ |
| 44 | + previous = None |
| 45 | + for ip_str in reversed(forwarded_for): |
| 46 | + ip_str = ip_str.strip() |
| 47 | + try: |
| 48 | + if ip_address(ip_str) not in self.trusted: |
| 49 | + return ip_str |
| 50 | + except ValueError: |
| 51 | + return previous |
| 52 | + previous = ip_str |
| 53 | + return previous |
| 54 | + |
| 55 | + def update_environ(self, environ): |
| 56 | + """Update the WSGI environment according to the headers.""" |
| 57 | + env = environ.get |
| 58 | + remote_addr = env("REMOTE_ADDR") |
| 59 | + if not remote_addr: |
| 60 | + return |
| 61 | + |
| 62 | + try: |
| 63 | + remote_addr_ip = ip_address(remote_addr) |
| 64 | + except ValueError: |
| 65 | + remote_addr_ip = ip_address("127.0.0.1") |
| 66 | + |
| 67 | + environ.update( |
| 68 | + { |
| 69 | + "werkzeug.proxy_fix.orig_wsgi_url_scheme": env("wsgi.url_scheme"), |
| 70 | + "werkzeug.proxy_fix.orig_remote_addr": env("REMOTE_ADDR"), |
| 71 | + "werkzeug.proxy_fix.orig_http_host": env("HTTP_HOST"), |
| 72 | + } |
| 73 | + ) |
| 74 | + |
| 75 | + if remote_addr_ip in self.trusted: |
| 76 | + if forwarded_host := env("HTTP_X_FORWARDED_HOST", ""): |
| 77 | + environ["HTTP_HOST"] = forwarded_host |
| 78 | + if forwarded_proto := env("HTTP_X_FORWARDED_PROTO", ""): |
| 79 | + https = "https" in forwarded_proto.lower() |
| 80 | + environ["wsgi.url_scheme"] = "https" if https else "http" |
| 81 | + forwarded_for = _split(env("HTTP_X_FORWARDED_FOR", "")) |
| 82 | + if remote_addr := self.get_remote_addr(forwarded_for): |
| 83 | + environ["REMOTE_ADDR"] = remote_addr |
| 84 | + |
| 85 | + def wrap(self, wsgi_app): |
| 86 | + """Wrap a wsgi app with this middleware.""" |
| 87 | + |
| 88 | + def wrapped(environ, start_response): |
| 89 | + self.update_environ(environ) |
| 90 | + return wsgi_app(environ, start_response) |
| 91 | + |
| 92 | + return wrapped |
0 commit comments