From ce8929cabe27c7cf0bfb21b47786c7442ffb3712 Mon Sep 17 00:00:00 2001
From: Ivan Gabaldon <igabaldon@inetol.net>
Date: Sat, 9 Aug 2025 23:03:30 +0200
Subject: [mod] limiter: trusted proxies (#4911)

Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.

We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.

Closes:

- https://github.com/searxng/searxng/issues/4940
- https://github.com/searxng/searxng/issues/4939
- https://github.com/searxng/searxng/issues/4907
- https://github.com/searxng/searxng/issues/3632
- https://github.com/searxng/searxng/issues/3191
- https://github.com/searxng/searxng/issues/1237

Related:

- https://github.com/searxng/searxng-docker/issues/386
- https://github.com/inetol-infrastructure/searxng-container/issues/81
---
 searx/plugins/self_info.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'searx/plugins/self_info.py')

diff --git a/searx/plugins/self_info.py b/searx/plugins/self_info.py
index ef035e683..1c51049a5 100644
--- a/searx/plugins/self_info.py
+++ b/searx/plugins/self_info.py
@@ -4,9 +4,10 @@ from __future__ import annotations
 import typing
 
 import re
+from ipaddress import ip_address
+
 from flask_babel import gettext
 
-from searx.botdetection._helpers import get_real_ip
 from searx.result_types import EngineResults
 
 from . import Plugin, PluginInfo
@@ -48,8 +49,10 @@ class SXNGPlugin(Plugin):
         if search.search_query.pageno > 1:
             return results
 
-        if self.ip_regex.search(search.search_query.query):
-            results.add(results.types.Answer(answer=gettext("Your IP is: ") + get_real_ip(request)))
+        if self.ip_regex.search(search.search_query.query) and request.remote_addr:
+            results.add(
+                results.types.Answer(answer=gettext("Your IP is: ") + ip_address(request.remote_addr).compressed)
+            )
 
         if self.ua_regex.match(search.search_query.query):
             results.add(results.types.Answer(answer=gettext("Your user-agent is: ") + str(request.user_agent)))
-- 
cgit v1.2.3