Commit 2c484ab3 authored by Kazuhiko Shiozaki's avatar Kazuhiko Shiozaki

fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as the source IP address.

parent 4a62a6e9
......@@ -139,7 +139,8 @@ def createServer(application, logger, **kw):
server = create_server(
TransLogger(application, logger=logger),
trusted_proxy='*',
trusted_proxy_headers=('x-forwarded-for',),
# We handle X-Forwarded-For by ourselves. See ERP5Type/patches/WSGITask.py.
# trusted_proxy_headers=('x-forwarded-for',),
clear_untrusted_proxy_headers=True,
**kw
)
......
......@@ -90,6 +90,7 @@ from Products.ERP5Type.patches import ZSQLMethod
from Products.ERP5Type.patches import MimetypesRegistry
from Products.ERP5Type.patches import users
from Products.ERP5Type.patches import Publish
from Products.ERP5Type.patches import WSGITask
# These symbols are required for backward compatibility
from Products.ERP5Type.patches.PropertyManager import ERP5PropertyManager
......
# -*- coding: utf-8 -*-
import ZPublisher.HTTPRequest
from waitress.task import WSGITask
WSGITask_parse_proxy_headers = WSGITask.parse_proxy_headers
def parse_proxy_headers(
self,
environ,
headers,
trusted_proxy_count=1,
trusted_proxy_headers=None,
):
if ZPublisher.HTTPRequest.trusted_proxies == ('0.0.0.0',): # Magic value to enable this functionality
# Frontend-facing proxy is responsible for sanitising
# X_FORWARDED_FOR, and only trusted accesses should bypass
# that proxy. So trust first entry.
forwarded_for = headers.get('X_FORWARDED_FOR', '').split(',', 1)[0].strip()
else:
forwarded_for = None
untrusted_headers = WSGITask_parse_proxy_headers(
self,
environ=environ,
headers=headers,
trusted_proxy_count=trusted_proxy_count,
trusted_proxy_headers=trusted_proxy_headers,
)
if forwarded_for:
environ['REMOTE_ADDR'] = forwarded_for
return untrusted_headers
WSGITask.parse_proxy_headers = parse_proxy_headers
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment