Cutlery/searxng
1
0
Fork 0
mirror of https://github.com/searxng/searxng.git synced 2025-11-03 19:17:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
searxng/searx/compat.py
Ivan Gabaldon ce8929cabe
[mod] limiter: trusted proxies (#4911) 
Replaces `x_for` functionality with `trusted_proxies`. This allows defining
which IP / ranges to trust extracting the client IP address from X-Forwarded-For
and X-Real-IP headers.

We don't know if the proxy chain will give us the proper client
address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers
of the proxy before SearXNG (if there is one, in that case it must be added to
trusted_proxies) hoping it has done the proper checks. In case a proxy in the
chain does not check the client address correctly, integrity is compromised and
this should be fixed by whoever manages the proxy, not us.

Closes:

- https://github.com/searxng/searxng/issues/4940
- https://github.com/searxng/searxng/issues/4939
- https://github.com/searxng/searxng/issues/4907
- https://github.com/searxng/searxng/issues/3632
- https://github.com/searxng/searxng/issues/3191
- https://github.com/searxng/searxng/issues/1237

Related:

- https://github.com/searxng/searxng-docker/issues/386
- https://github.com/inetol-infrastructure/searxng-container/issues/81
2025-08-09 23:03:30 +02:00

54 lines
1.3 KiB
Python
Raw Blame History

# SPDX-License-Identifier: AGPL-3.0-or-later
"""Compatibility with older versions"""
# pylint: disable=unused-import
__all__ = [
"tomllib",
]
import sys
import warnings
# TOML (lib) compatibility
# ------------------------
if sys.version_info >= (3, 11):
import tomllib
else:
import tomli as tomllib
# limiter backward compatibility
# ------------------------------
LIMITER_CFG_DEPRECATED = {
"real_ip": "limiter: config section 'real_ip' is deprecated",
"real_ip.x_for": "real_ip.x_for has been replaced by botdetection.trusted_proxies",
"real_ip.ipv4_prefix": "real_ip.ipv4_prefix has been replaced by botdetection.ipv4_prefix",
"real_ip.ipv6_prefix": "real_ip.ipv6_prefix has been replaced by botdetection.ipv6_prefix'",
}
def limiter_fix_cfg(cfg, cfg_file):
kwargs = {
"category": DeprecationWarning,
"filename": str(cfg_file),
"lineno": 0,
"module": "searx.limiter",
}
for opt, msg in LIMITER_CFG_DEPRECATED.items():
try:
val = cfg.get(opt)
except KeyError:
continue
warnings.warn_explicit(msg, **kwargs)
if opt == "real_ip.ipv4_prefix":
cfg.set("botdetection.ipv4_prefix", val)
if opt == "real_ip.ipv6_prefix":
cfg.set("botdetection.ipv6_prefix", val)
Reference in New Issue View Git Blame Copy Permalink