Remove WEBSOCKET_TRUST_X_FORWARDED_FOR, use UPSTREAM_IPS

2026-03-20 23:06:31 +01:00 · 2020-01-14 21:51:19 +00:00 · 2020-01-14 21:51:19 +00:00 · bfe7a2e6e6
commit bfe7a2e6e6
parent 5dee0873d1
3 changed files with 12 additions and 11 deletions
--- a/evennia/server/portal/portal.py
+++ b/evennia/server/portal/portal.py
@ -58,7 +58,6 @@ SSL_PORTS = settings.SSL_PORTS
 SSH_PORTS = settings.SSH_PORTS
 WEBSERVER_PORTS = settings.WEBSERVER_PORTS
 WEBSOCKET_CLIENT_PORT = settings.WEBSOCKET_CLIENT_PORT
-WEBSOCKET_TRUST_X_FORWARDED_FOR = settings.WEBSOCKET_TRUST_X_FORWARDED_FOR

 TELNET_INTERFACES = ["127.0.0.1"] if LOCKDOWN_MODE else settings.TELNET_INTERFACES
 SSL_INTERFACES = ["127.0.0.1"] if LOCKDOWN_MODE else settings.SSL_INTERFACES
@ -387,7 +386,6 @@ if WEBSERVER_ENABLED:
                    factory.noisy = False
                    factory.protocol = webclient.WebSocketClient
                    factory.sessionhandler = PORTAL_SESSIONS
-                    factory.setProtocolOptions(trustXForwardedFor=WEBSOCKET_TRUST_X_FORWARDED_FOR)
                    websocket_service = internet.TCPServer(
                        port, factory, interface=w_interface
                    )
--- a/evennia/server/portal/webclient.py
+++ b/evennia/server/portal/webclient.py
@ -29,6 +29,7 @@ _RE_SCREENREADER_REGEX = re.compile(
    r"%s" % settings.SCREENREADER_REGEX_STRIP, re.DOTALL + re.MULTILINE
 )
 _CLIENT_SESSIONS = mod_import(settings.SESSION_ENGINE).SessionStore
+_UPSTREAM_IPS = settings.UPSTREAM_IPS


 CLOSE_NORMAL = WebSocketServerProtocol.CLOSE_STATUS_CODE_NORMAL
@ -73,13 +74,18 @@ class WebSocketClient(WebSocketServerProtocol, Session):
        This is called when the WebSocket connection is fully established.

        """
-        if 'x-forwarded-for' in self.http_headers and self.trustXForwardedFor:
+        client_address = self.transport.client
+        client_address = client_address[0] if client_address else None
+
+        if client_address in _UPSTREAM_IPS and 'x-forwarded-for' in self.http_headers:
            addresses = [x.strip() for x in self.http_headers['x-forwarded-for'].split(',')]
-            trusted_addresses = addresses[-self.trustXForwardedFor:]
-            client_address = trusted_addresses[0]
-        else:
-             client_address = self.transport.client
-             client_address = client_address[0] if client_address else None
+            addresses.reverse()
+
+            for addr in addresses:
+                if addr not in _UPSTREAM_IPS:
+                    client_address = addr
+                    break
+
        self.init_session("websocket", client_address, self.factory.sessionhandler)

        csession = self.get_client_session()  # this sets self.csessid
--- a/evennia/settings_default.py
+++ b/evennia/settings_default.py
@ -102,9 +102,6 @@ WEBSOCKET_CLIENT_INTERFACE = "0.0.0.0"
 # the client will itself figure out this url based on the server's hostname.
 # e.g. ws://external.example.com or wss://external.example.com:443
 WEBSOCKET_CLIENT_URL = None
-# Number of trusted web servers (reverse proxies) in front of this server which
-# set the X-Forwarded-For header.
-WEBSOCKET_TRUST_X_FORWARDED_FOR = None
 # This determine's whether Evennia's custom admin page is used, or if the
 # standard Django admin is used.
 EVENNIA_ADMIN = True