diff options
| author | Ivan Gabaldon <igabaldon@inetol.net> | 2025-08-09 23:03:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-09 23:03:30 +0200 |
| commit | ce8929cabe27c7cf0bfb21b47786c7442ffb3712 (patch) | |
| tree | 8b478698e812efee8e457d34cef8fbd43d2da024 /searx/botdetection/ip_lists.py | |
| parent | 341d718c7f8557e03e184102f63b2f4a4364b939 (diff) | |
[mod] limiter: trusted proxies (#4911)
Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.
We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.
Closes:
- https://github.com/searxng/searxng/issues/4940
- https://github.com/searxng/searxng/issues/4939
- https://github.com/searxng/searxng/issues/4907
- https://github.com/searxng/searxng/issues/3632
- https://github.com/searxng/searxng/issues/3191
- https://github.com/searxng/searxng/issues/1237
Related:
- https://github.com/searxng/searxng-docker/issues/386
- https://github.com/inetol-infrastructure/searxng-container/issues/81
Diffstat (limited to 'searx/botdetection/ip_lists.py')
| -rw-r--r-- | searx/botdetection/ip_lists.py | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/searx/botdetection/ip_lists.py b/searx/botdetection/ip_lists.py index 2ad1c62d0..77628b577 100644 --- a/searx/botdetection/ip_lists.py +++ b/searx/botdetection/ip_lists.py @@ -4,21 +4,22 @@ Method ``ip_lists`` ------------------- -The ``ip_lists`` method implements IP :py:obj:`block- <block_ip>` and -:py:obj:`pass-lists <pass_ip>`. +The ``ip_lists`` method implements :py:obj:`block-list <block_ip>` and +:py:obj:`pass-list <pass_ip>`. .. code:: toml [botdetection.ip_lists] pass_ip = [ - '167.235.158.251', # IPv4 of check.searx.space - '192.168.0.0/16', # IPv4 private network - 'fe80::/10' # IPv6 linklocal + '167.235.158.251', # IPv4 of check.searx.space + '192.168.0.0/16', # IPv4 private network + 'fe80::/10', # IPv6 linklocal ] + block_ip = [ - '93.184.216.34', # IPv4 of example.org - '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class + '93.184.216.34', # IPv4 of example.org + '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class ] """ @@ -72,7 +73,6 @@ def block_ip(real_ip: IPv4Address | IPv6Address, cfg: config.Config) -> Tuple[bo def ip_is_subnet_of_member_in_list( real_ip: IPv4Address | IPv6Address, list_name: str, cfg: config.Config ) -> Tuple[bool, str]: - for net in cfg.get(list_name, default=[]): try: net = ip_network(net, strict=False) |