diff options
| author | Ivan Gabaldon <igabaldon@inetol.net> | 2025-08-09 23:03:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-09 23:03:30 +0200 |
| commit | ce8929cabe27c7cf0bfb21b47786c7442ffb3712 (patch) | |
| tree | 8b478698e812efee8e457d34cef8fbd43d2da024 /searx/limiter.toml | |
| parent | 341d718c7f8557e03e184102f63b2f4a4364b939 (diff) | |
[mod] limiter: trusted proxies (#4911)
Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.
We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.
Closes:
- https://github.com/searxng/searxng/issues/4940
- https://github.com/searxng/searxng/issues/4939
- https://github.com/searxng/searxng/issues/4907
- https://github.com/searxng/searxng/issues/3632
- https://github.com/searxng/searxng/issues/3191
- https://github.com/searxng/searxng/issues/1237
Related:
- https://github.com/searxng/searxng-docker/issues/386
- https://github.com/inetol-infrastructure/searxng-container/issues/81
Diffstat (limited to 'searx/limiter.toml')
| -rw-r--r-- | searx/limiter.toml | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/searx/limiter.toml b/searx/limiter.toml index b64a7bf28..0b40bf81f 100644 --- a/searx/limiter.toml +++ b/searx/limiter.toml @@ -1,8 +1,4 @@ -[real_ip] - -# Number of values to trust for X-Forwarded-For. - -x_for = 1 +[botdetection] # The prefix defines the number of leading bits in an address that are compared # to determine whether or not an address is part of a (client) network. @@ -10,6 +6,19 @@ x_for = 1 ipv4_prefix = 32 ipv6_prefix = 48 +# If the request IP is in trusted_proxies list, the client IP address is +# extracted from the X-Forwarded-For and X-Real-IP headers. This should be +# used if SearXNG is behind a reverse proxy or load balancer. + +trusted_proxies = [ + '127.0.0.0/8', + '::1', + # '192.168.0.0/16', + # '172.16.0.0/12', + # '10.0.0.0/8', + # 'fd00::/8', +] + [botdetection.ip_limit] # To get unlimited access in a local network, by default link-local addresses @@ -37,4 +46,4 @@ pass_ip = [ # Activate passlist of (hardcoded) IPs from the SearXNG organization, # e.g. `check.searx.space`. -pass_searxng_org = true
\ No newline at end of file +pass_searxng_org = true |