Replace proxy_addr with option to trust proxies in 10.0.0.0/8.

2026-01-24 22:38:09 -05:00 · 2012-01-20 09:23:58 -08:00
parent f52759f0da
commit e7b672d6b0
3 changed files with 11 additions and 5 deletions
--- a/r2/example.ini
+++ b/r2/example.ini
@@ -74,9 +74,9 @@ locale = C
 # default site language (two letter character code)
 lang = en
 lang_override =
-# if your webserver is a proxy and on a different instance, use
-# X-forwarded-for and set this to the webserver's IP
-proxy_addr = 
+# if your webserver is a proxy and on a different instance on the same 10.0.0.0/8 network
+# set X-forwarded-for and set this to true
+trust_local_proxies = false
 # hash for validating HTTP_TRUE_CLIENT_IP_HASH
 ip_hash = 
 # timezone for storing
--- a/r2/r2/lib/app_globals.py
+++ b/r2/r2/lib/app_globals.py
@@ -98,6 +98,7 @@ class Globals(object):
                  'disable_ads',
                  'static_pre_gzipped',
                  'static_secure_pre_gzipped',
+                  'trust_local_proxies',
                  ]

    tuple_props = ['stalecaches',
@@ -112,7 +113,6 @@ class Globals(object):
                   'allowed_css_linked_domains',
                   'authorized_cnames',
                   'hardcache_categories',
-                   'proxy_addr',
                   's3_media_buckets',
                   'allowed_pay_countries',
                   'case_sensitive_domains']
--- a/r2/r2/lib/base.py
+++ b/r2/r2/lib/base.py
@@ -42,6 +42,12 @@ import logging
 from r2.lib.utils import UrlParser, query_string
 logging.getLogger('scgi-wsgi').setLevel(logging.CRITICAL)

+
+def is_local_address(ip):
+    # TODO: support the /20 and /24 private networks? make this configurable?
+    return ip.startswith('10.')
+
+
 class BaseController(WSGIController):
    def try_pagecache(self):
        pass
@@ -65,7 +71,7 @@ class BaseController(WSGIController):
            and hashlib.md5(true_client_ip + g.ip_hash).hexdigest() \
            == ip_hash.lower()):
            request.ip = true_client_ip
-        elif remote_addr in g.proxy_addr and forwarded_for:
+        elif g.trust_local_proxies and forwarded_for and is_local_address(remote_addr):
            request.ip = forwarded_for.split(',')[-1]
        else:
            request.ip = environ['REMOTE_ADDR']