diff options
| author | Ivan Gabaldon <igabaldon@inetol.net> | 2025-08-09 23:03:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-08-09 23:03:30 +0200 |
| commit | ce8929cabe27c7cf0bfb21b47786c7442ffb3712 (patch) | |
| tree | 8b478698e812efee8e457d34cef8fbd43d2da024 /searx/plugins | |
| parent | 341d718c7f8557e03e184102f63b2f4a4364b939 (diff) | |
[mod] limiter: trusted proxies (#4911)
Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.
We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.
Closes:
- https://github.com/searxng/searxng/issues/4940
- https://github.com/searxng/searxng/issues/4939
- https://github.com/searxng/searxng/issues/4907
- https://github.com/searxng/searxng/issues/3632
- https://github.com/searxng/searxng/issues/3191
- https://github.com/searxng/searxng/issues/1237
Related:
- https://github.com/searxng/searxng-docker/issues/386
- https://github.com/inetol-infrastructure/searxng-container/issues/81
Diffstat (limited to 'searx/plugins')
| -rw-r--r-- | searx/plugins/self_info.py | 9 | ||||
| -rw-r--r-- | searx/plugins/tor_check.py | 4 |
2 files changed, 8 insertions, 5 deletions
diff --git a/searx/plugins/self_info.py b/searx/plugins/self_info.py index ef035e683..1c51049a5 100644 --- a/searx/plugins/self_info.py +++ b/searx/plugins/self_info.py @@ -4,9 +4,10 @@ from __future__ import annotations import typing import re +from ipaddress import ip_address + from flask_babel import gettext -from searx.botdetection._helpers import get_real_ip from searx.result_types import EngineResults from . import Plugin, PluginInfo @@ -48,8 +49,10 @@ class SXNGPlugin(Plugin): if search.search_query.pageno > 1: return results - if self.ip_regex.search(search.search_query.query): - results.add(results.types.Answer(answer=gettext("Your IP is: ") + get_real_ip(request))) + if self.ip_regex.search(search.search_query.query) and request.remote_addr: + results.add( + results.types.Answer(answer=gettext("Your IP is: ") + ip_address(request.remote_addr).compressed) + ) if self.ua_regex.match(search.search_query.query): results.add(results.types.Answer(answer=gettext("Your user-agent is: ") + str(request.user_agent))) diff --git a/searx/plugins/tor_check.py b/searx/plugins/tor_check.py index 3338ff2ed..93506ff5a 100644 --- a/searx/plugins/tor_check.py +++ b/searx/plugins/tor_check.py @@ -5,6 +5,7 @@ user searches for ``tor-check``. It fetches the tor exit node list from user's IP address is in it. """ from __future__ import annotations +from ipaddress import ip_address import typing import re @@ -14,7 +15,6 @@ from httpx import HTTPError from searx.network import get from searx.plugins import Plugin, PluginInfo from searx.result_types import EngineResults -from searx.botdetection import get_real_ip if typing.TYPE_CHECKING: from searx.search import SearchWithPlugins @@ -66,7 +66,7 @@ class SXNGPlugin(Plugin): results.add(results.types.Answer(answer=f"{msg} {url_exit_list}")) return results - real_ip = get_real_ip(request) + real_ip = ip_address(address=str(request.remote_addr)).compressed if real_ip in node_list: msg = gettext("You are using Tor and it looks like you have the external IP address") |