From ce8929cabe27c7cf0bfb21b47786c7442ffb3712 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Sat, 9 Aug 2025 23:03:30 +0200 Subject: [mod] limiter: trusted proxies (#4911) Replaces `x_for` functionality with `trusted_proxies`. This allows defining which IP / ranges to trust extracting the client IP address from X-Forwarded-For and X-Real-IP headers. We don't know if the proxy chain will give us the proper client address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers of the proxy before SearXNG (if there is one, in that case it must be added to trusted_proxies) hoping it has done the proper checks. In case a proxy in the chain does not check the client address correctly, integrity is compromised and this should be fixed by whoever manages the proxy, not us. Closes: - https://github.com/searxng/searxng/issues/4940 - https://github.com/searxng/searxng/issues/4939 - https://github.com/searxng/searxng/issues/4907 - https://github.com/searxng/searxng/issues/3632 - https://github.com/searxng/searxng/issues/3191 - https://github.com/searxng/searxng/issues/1237 Related: - https://github.com/searxng/searxng-docker/issues/386 - https://github.com/inetol-infrastructure/searxng-container/issues/81 --- searx/botdetection/http_sec_fetch.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'searx/botdetection/http_sec_fetch.py') diff --git a/searx/botdetection/http_sec_fetch.py b/searx/botdetection/http_sec_fetch.py index f64ee4b2c..edead3bfa 100644 --- a/searx/botdetection/http_sec_fetch.py +++ b/searx/botdetection/http_sec_fetch.py @@ -32,8 +32,6 @@ import re import flask import werkzeug -from searx.extended_types import SXNG_Request - from . import config from ._helpers import logger @@ -78,7 +76,7 @@ def is_browser_supported(user_agent: str) -> bool: def filter_request( network: IPv4Network | IPv6Network, - request: SXNG_Request, + request: flask.Request, cfg: config.Config, ) -> werkzeug.Response | None: -- cgit v1.2.3