可以使用request.access_route
attribute只有当你定义一个列表的信任代理。
access_route
属性使用X-Forwarded-For
header,回落到REMOTE_ADDR
WSGI变量;后者很好,因为你的服务器决定这一点;在X-Forwarded-For
可能已被几乎任何人都设定,但如果你信任的代理正确设置值,然后使用第一个(从端)成为不信任:
trusted_proxies = {'127.0.0.1'} # define your own set
route = request.access_route + [request.remote_addr]
remote_addr = next((addr for addr in reversed(route)
if addr not in trusted_proxies), request.remote_addr)
这样,即使有人用fake_ip1,fake_ip2
欺骗X-Forwarded-For
标头,代理服务器也会将,spoof_machine_ip
添加到最后,并且上述代码会将remote_addr
设置为spoof_machine_ip
,而不管您的最外层代理还有多少个可信代理。
这是您的链接文章谈到的白名单方法(简要地说,Rails使用它)以及什么Zope implemented over 11 years ago。
您的ProxyFix方法工作得很好,但您误解了它的功能。它只有集合request.remote_addr
; request.access_route
属性不变(X-Forwarded-For
标头为而不是由中间件调整)。 但是,我会非常谨慎地盲目代理代理。
将同样的白名单的方法来中间件会是什么样子:
class WhitelistRemoteAddrFix(object):
"""This middleware can be applied to add HTTP proxy support to an
application that was not designed with HTTP proxies in mind. It
only sets `REMOTE_ADDR` from `X-Forwarded` headers.
Tests proxies against a set of trusted proxies.
The original value of `REMOTE_ADDR` is stored in the WSGI environment
as `werkzeug.whitelist_remoteaddr_fix.orig_remote_addr`.
:param app: the WSGI application
:param trusted_proxies: a set or sequence of proxy ip addresses that can be trusted.
"""
def __init__(self, app, trusted_proxies=()):
self.app = app
self.trusted_proxies = frozenset(trusted_proxies)
def get_remote_addr(self, remote_addr, forwarded_for):
"""Selects the new remote addr from the given list of ips in
X-Forwarded-For. Picks first non-trusted ip address.
"""
if remote_addr in self.trusted_proxies:
return next((ip for ip in reversed(forwarded_for)
if ip not in self.trusted_proxies),
remote_addr)
def __call__(self, environ, start_response):
getter = environ.get
remote_addr = getter('REMOTE_ADDR')
forwarded_for = getter('HTTP_X_FORWARDED_FOR', '').split(',')
environ.update({
'werkzeug.whitelist_remoteaddr_fix.orig_remote_addr': remote_addr,
})
forwarded_for = [x for x in [x.strip() for x in forwarded_for] if x]
remote_addr = self.get_remote_addr(remote_addr, forwarded_for)
if remote_addr is not None:
environ['REMOTE_ADDR'] = remote_addr
return self.app(environ, start_response)
要明确:这个中间件也只有套request.remote_addr
; request.access_route
保持不变。
我想我只是困惑为什么所谓的“ProxyFix”没有解决这个问题。我应该打扰ProxyFix吗? –
thx再Martijn! –