Mercurial > libervia-web
comparison libervia/server/server.py @ 1467:d6062cccd4c0
server: better reverse proxy headers handling:
reverse proxy header were not used if `X-Forwarded-Host` was not set, with this patch
`X-Forwarded-Host` and `X-Forwarded-Proto` are check independently. Furthermore, the new
standardised `Forwarded` header is not checked too.
fix 396
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Thu, 30 Sep 2021 18:40:49 +0200 |
| parents | 87e48b6a1bbd |
| children | 83cd4862b134 |
comparison
equal
deleted
inserted
replaced
| 1466:cff720e26089 | 1467:d6062cccd4c0 |
|---|---|
| 1654 @return (urlparse.SplitResult): SplitResult instance with only scheme and | 1654 @return (urlparse.SplitResult): SplitResult instance with only scheme and |
| 1655 netloc filled | 1655 netloc filled |
| 1656 """ | 1656 """ |
| 1657 ext_data = self.base_url_ext_data | 1657 ext_data = self.base_url_ext_data |
| 1658 url_path = request.URLPath() | 1658 url_path = request.URLPath() |
| 1659 if not ext_data.scheme or not ext_data.netloc: | 1659 |
| 1660 # ext_data is not specified, we check headers | 1660 try: |
| 1661 if request.requestHeaders.hasHeader("x-forwarded-host"): | 1661 forwarded = request.requestHeaders.getRawHeaders( |
| 1662 # we are behing a proxy | 1662 "forwarded" |
| 1663 # we fill proxy_scheme and proxy_netloc value | 1663 )[0] |
| 1664 proxy_host = request.requestHeaders.getRawHeaders("x-forwarded-host")[0] | 1664 except TypeError: |
| 1665 try: | 1665 # we try deprecated headers |
| 1666 proxy_server = request.requestHeaders.getRawHeaders( | 1666 try: |
| 1667 "x-forwarded-server" | 1667 proxy_netloc = request.requestHeaders.getRawHeaders( |
| 1668 )[0] | 1668 "x-forwarded-host" |
| 1669 except TypeError: | 1669 )[0] |
| 1670 # no x-forwarded-server found, we use proxy_host | 1670 except TypeError: |
| 1671 proxy_netloc = proxy_host | 1671 proxy_netloc = None |
| 1672 else: | 1672 try: |
| 1673 # if the proxy host has a port, we use it with server name | 1673 proxy_scheme = request.requestHeaders.getRawHeaders( |
| 1674 proxy_port = urllib.parse.urlsplit("//{}".format(proxy_host)).port | 1674 "x-forwarded-proto" |
| 1675 proxy_netloc = ( | 1675 )[0] |
| 1676 "{}:{}".format(proxy_server, proxy_port) | 1676 except TypeError: |
| 1677 if proxy_port is not None | 1677 proxy_scheme = None |
| 1678 else proxy_server | |
| 1679 ) | |
| 1680 try: | |
| 1681 proxy_scheme = request.requestHeaders.getRawHeaders( | |
| 1682 "x-forwarded-proto" | |
| 1683 )[0] | |
| 1684 except TypeError: | |
| 1685 proxy_scheme = None | |
| 1686 else: | |
| 1687 proxy_scheme, proxy_netloc = None, None | |
| 1688 else: | 1678 else: |
| 1689 proxy_scheme, proxy_netloc = None, None | 1679 fwd_data = { |
| 1680 k.strip(): v.strip() | |
| 1681 for k,v in (d.split("=") for d in forwarded.split(";")) | |
| 1682 } | |
| 1683 proxy_netloc = fwd_data.get("host") | |
| 1684 proxy_scheme = fwd_data.get("proto") | |
| 1690 | 1685 |
| 1691 return urllib.parse.SplitResult( | 1686 return urllib.parse.SplitResult( |
| 1692 ext_data.scheme or proxy_scheme or url_path.scheme.decode("utf-8"), | 1687 ext_data.scheme or proxy_scheme or url_path.scheme.decode(), |
| 1693 ext_data.netloc or proxy_netloc or url_path.netloc.decode("utf-8"), | 1688 ext_data.netloc or proxy_netloc or url_path.netloc.decode(), |
| 1694 ext_data.path or "/", | 1689 ext_data.path or "/", |
| 1695 "", | 1690 "", |
| 1696 "", | 1691 "", |
| 1697 ) | 1692 ) |
| 1698 | 1693 |