upstream/kallithea Commit - r8679:3d7ba590

auth: only use X- headers instead of REMOTE_ADDR if explicitly told so in remote_addr_header...

Mads Kiilerich -

r8679:3d7ba590 default

parent child

development.ini

0 +3 0

              ## cut off limit for large diffs (size in bytes)
              cut_off_limit = 256000
+             ## WSGI environment variable to get the IP address of the client (default REMOTE_ADDR)
+             #remote_addr_variable = HTTP_X_FORWARDED_FOR
              ## always pretend the client connected using HTTPS (default false)
              #force_https = true

docs/setup.rst

0 +6 -2

              configured to pick that information up and trust it.
              Kallithea will by default rely on its WSGI server to provide the IP of the
-             client in the WSGI environment as ``REMOTE_ADDR``, but it can also
-             get it from the ``X-Real-IP`` or ``X-Forwarded-For`` HTTP headers.
+             client in the WSGI environment as ``REMOTE_ADDR``, but it can be configured to
+             get it from an HTTP header that has been set by the proxy server. For
+             example, if the proxy server puts the client IP in the ``X-Forwarded-For``
+             HTTP header, set::
+                 remote_addr_variable = HTTP_X_FORWARDED_FOR
              Kallithea will by default rely on finding the protocol (``http`` or ``https``)
              in the WSGI environment as ``wsgi.url_scheme``. If the proxy server puts

kallithea/controllers/base.py

0 +6 -14

              def get_ip_addr(environ):
-                 proxy_key = 'HTTP_X_REAL_IP'
-                 proxy_key2 = 'HTTP_X_FORWARDED_FOR'
-                 def_key = 'REMOTE_ADDR'
-                 ip = environ.get(proxy_key)
-                 if ip:
-                     return _filter_proxy(ip)
-                 ip = environ.get(proxy_key2)
-                 if ip:
-                     return _filter_proxy(ip)
-                 ip = environ.get(def_key, '0.0.0.0')
-                 return _filter_proxy(ip)
+                 """The web server will set REMOTE_ADDR to the unfakeable IP layer client IP address.
+                 If using a proxy server, make it possible to use another value, such as
+                 the X-Forwarded-For header, by setting `remote_addr_variable = HTTP_X_FORWARDED_FOR`.
+                 """
+                 remote_addr_variable = kallithea.CONFIG.get('remote_addr_variable', 'REMOTE_ADDR')
+                 return _filter_proxy(environ.get(remote_addr_variable, '0.0.0.0'))
              def get_path_info(environ):

kallithea/templates/ini/template.ini.mako

0 +3 0

              <%text>##</%text> cut off limit for large diffs (size in bytes)
              cut_off_limit = 256000
+             <%text>##</%text> WSGI environment variable to get the IP address of the client (default REMOTE_ADDR)
+             #remote_addr_variable = HTTP_X_FORWARDED_FOR
              <%text>##</%text> always pretend the client connected using HTTPS (default false)
              #force_https = true

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages