From 8f466b368220cdeace0bfbf8d6b776369f061404 Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Mon, 19 Nov 2018 15:43:21 +0100 Subject: [PATCH 1/3] Add middleware to fix multiple proxies issue --- ivatar/middleware.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 ivatar/middleware.py diff --git a/ivatar/middleware.py b/ivatar/middleware.py new file mode 100644 index 0000000..1520fee --- /dev/null +++ b/ivatar/middleware.py @@ -0,0 +1,26 @@ +""" +Middleware classes +""" +from django.utils.deprecation import MiddlewareMixin + +class MultipleProxyMiddleware(MiddlewareMixin): # pylint: disable=too-few-public-methods + """ + Middleware to rewrite proxy headers for deployments + multiple proxies + """ + FORWARDED_FOR_FIELDS = [ + 'HTTP_X_FORWARDED_FOR', + 'HTTP_X_FORWARDED_HOST', + 'HTTP_X_FORWARDED_SERVER', + ] + + def process_request(self, request): + """ + Rewrites the proxy headers so that only the most + recent proxy is used. + """ + for field in self.FORWARDED_FOR_FIELDS: + if field in request.META: + if ',' in request.META[field]: + parts = request.META[field].split(',') + request.META[field] = parts[-1].strip() From 2f79608a599d350a6446df7d6f9414b1b16e6955 Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Mon, 19 Nov 2018 15:43:46 +0100 Subject: [PATCH 2/3] Add middleware and rearrange to make pylint happier --- config.py | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/config.py b/config.py index 9bec80d..93fdab6 100644 --- a/config.py +++ b/config.py @@ -4,14 +4,16 @@ Configuration overrides for settings.py import os import sys -from socket import gethostname, gethostbyname from django.urls import reverse_lazy from ivatar.settings import BASE_DIR -ADMIN_USERS = [] -ALLOWED_HOSTS = [ '*' ] +from ivatar.settings import MIDDLEWARE +from ivatar.settings import INSTALLED_APPS +from ivatar.settings import TEMPLATES + +ADMIN_USERS = [] +ALLOWED_HOSTS = ['*'] -from ivatar.settings import INSTALLED_APPS # noqa INSTALLED_APPS.extend([ 'django_extensions', 'django_openid_auth', @@ -22,10 +24,12 @@ INSTALLED_APPS.extend([ 'ivatar.tools', ]) -from ivatar.settings import MIDDLEWARE # noqa MIDDLEWARE.extend([ 'django.middleware.locale.LocaleMiddleware', ]) +MIDDLEWARE.insert( + 0, 'ivatar.middleware.MultipleProxyMiddleware', +) AUTHENTICATION_BACKENDS = ( # Enable this to allow LDAP authentication. @@ -35,7 +39,6 @@ AUTHENTICATION_BACKENDS = ( 'django.contrib.auth.backends.ModelBackend', ) -from ivatar.settings import TEMPLATES # noqa TEMPLATES[0]['DIRS'].extend([ os.path.join(BASE_DIR, 'templates'), ]) @@ -76,7 +79,8 @@ BOOTSTRAP4 = { 'javascript_in_head': False, 'css_url': { 'href': '/static/css/bootstrap.min.css', - 'integrity': 'sha384-WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB', # noqa + 'integrity': + 'sha384-WskhaSGFgHYWDcbwN70/dfYBj47jz9qbsMId/iRN3ewGhXQFZCSftd1LZCfmhktB', 'crossorigin': 'anonymous', }, 'javascript_url': { @@ -86,7 +90,8 @@ BOOTSTRAP4 = { }, 'popper_url': { 'url': '/static/js/popper.min.js', - 'integrity': 'sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49', # noqa + 'integrity': + 'sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49', 'crossorigin': 'anonymous', }, } @@ -134,3 +139,4 @@ if os.path.isfile(os.path.join(BASE_DIR, 'config_local.py')): SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' USE_X_FORWARDED_HOST = True +ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = ['avatars.linux-kernel.at', 'localhost',] From c1d6a751da0c74130f8c8a842b8b1ca4561fe4a8 Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Mon, 19 Nov 2018 16:20:25 +0100 Subject: [PATCH 3/3] Rewrite middleware to use FORWARDED_SERVER as FORWARDED_HOST, if available --- ivatar/middleware.py | 18 +++++------------- templates/openid/login.html | 2 +- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/ivatar/middleware.py b/ivatar/middleware.py index 1520fee..6f6e066 100644 --- a/ivatar/middleware.py +++ b/ivatar/middleware.py @@ -6,21 +6,13 @@ from django.utils.deprecation import MiddlewareMixin class MultipleProxyMiddleware(MiddlewareMixin): # pylint: disable=too-few-public-methods """ Middleware to rewrite proxy headers for deployments - multiple proxies + with multiple proxies """ - FORWARDED_FOR_FIELDS = [ - 'HTTP_X_FORWARDED_FOR', - 'HTTP_X_FORWARDED_HOST', - 'HTTP_X_FORWARDED_SERVER', - ] def process_request(self, request): """ - Rewrites the proxy headers so that only the most - recent proxy is used. + Rewrites the proxy headers so that forwarded server is + used if available. """ - for field in self.FORWARDED_FOR_FIELDS: - if field in request.META: - if ',' in request.META[field]: - parts = request.META[field].split(',') - request.META[field] = parts[-1].strip() + if 'HTTP_X_FORWARDED_SERVER' in request.META: + request.META['HTTP_X_FORWARDED_HOST'] = request.META['HTTP_X_FORWARDED_SERVER'] diff --git a/templates/openid/login.html b/templates/openid/login.html index b0a800e..a1ae3bb 100644 --- a/templates/openid/login.html +++ b/templates/openid/login.html @@ -29,7 +29,7 @@

- +