From ce8929cabe27c7cf0bfb21b47786c7442ffb3712 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Sat, 9 Aug 2025 23:03:30 +0200 Subject: [mod] limiter: trusted proxies (#4911) Replaces `x_for` functionality with `trusted_proxies`. This allows defining which IP / ranges to trust extracting the client IP address from X-Forwarded-For and X-Real-IP headers. We don't know if the proxy chain will give us the proper client address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers of the proxy before SearXNG (if there is one, in that case it must be added to trusted_proxies) hoping it has done the proper checks. In case a proxy in the chain does not check the client address correctly, integrity is compromised and this should be fixed by whoever manages the proxy, not us. Closes: - https://github.com/searxng/searxng/issues/4940 - https://github.com/searxng/searxng/issues/4939 - https://github.com/searxng/searxng/issues/4907 - https://github.com/searxng/searxng/issues/3632 - https://github.com/searxng/searxng/issues/3191 - https://github.com/searxng/searxng/issues/1237 Related: - https://github.com/searxng/searxng-docker/issues/386 - https://github.com/inetol-infrastructure/searxng-container/issues/81 --- searx/webapp.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'searx/webapp.py') diff --git a/searx/webapp.py b/searx/webapp.py index 906ec93e4..4179c32b0 100755 --- a/searx/webapp.py +++ b/searx/webapp.py @@ -57,7 +57,7 @@ from searx import ( from searx import infopage from searx import limiter -from searx.botdetection import link_token +from searx.botdetection import link_token, ProxyFix from searx.data import ENGINE_DESCRIPTIONS from searx.result_types import Answer @@ -1391,6 +1391,7 @@ def static_headers(headers: Headers, _path: str, _url: str) -> None: headers[header] = str(value) +app.wsgi_app = ProxyFix(app.wsgi_app) app.wsgi_app = WhiteNoise( app.wsgi_app, root=settings['ui']['static_path'], -- cgit v1.2.3