Files @ 3d7ba590f6f5
Branch filter:

Location: kallithea/init.d/kallithea-daemon-arch - annotation

3d7ba590f6f5 1.3 KiB text/plain Show Source Show as Raw Download as Raw
mads
auth: only use X- headers instead of REMOTE_ADDR if explicitly told so in remote_addr_header

Before, X-Forwarded-For (and others) headers would *always* be trusted blindly,
also in setups without a proxy server. It would thus in some cases be
possible for users to fake their IP, and thus potentially be possible to bypass
IP restrictions configured in Kallithea.

Fixed by making it configurable which WSGI environment variable to use for the
remote address. Users can configure remote_addr_header to for example
HTTP_X_FORWARDED_FOR instead of using the default REMOTE_ADDR.

This change is a bit similar to what is going on in the https_fixup middleware,
but is doing a bit more of what for example is happening in similar code in
werkzeug/middleware/proxy_fix.py .
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
2c3d30095d5e
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
2c3d30095d5e
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
99ad9d0af1a3
e285bb7abb28

#!/bin/bash
###########################################
#### THIS IS AN ARCH LINUX RC.D SCRIPT ####
###########################################

. /etc/rc.conf
. /etc/rc.d/functions

DAEMON=kallithea
APP_HOMEDIR="/srv"
APP_PATH="$APP_HOMEDIR/$DAEMON"
CONF_NAME="production.ini"
LOG_FILE="/var/log/$DAEMON.log"
PID_FILE="/run/daemons/$DAEMON"
APPL=/usr/bin/gearbox
RUN_AS="*****"

ARGS="serve --daemon \
--user=$RUN_AS \
--group=$RUN_AS \
--pid-file=$PID_FILE \
--log-file=$LOG_FILE \
-c $APP_PATH/$CONF_NAME"

[ -r /etc/conf.d/$DAEMON ] && . /etc/conf.d/$DAEMON

if [[ -r $PID_FILE ]]; then
    read -r PID < "$PID_FILE"
    if [[ $PID && ! -d /proc/$PID ]]; then
        unset PID
        rm_daemon $DAEMON
    fi
fi

case "$1" in
start)
    stat_busy "Starting $DAEMON"
    export HOME=$APP_PATH
    [ -z "$PID" ] && $APPL $ARGS &>/dev/null
    if [ $? = 0 ]; then
        add_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
stop)
    stat_busy "Stopping $DAEMON"
    [ -n "$PID" ] && kill $PID &>/dev/null
    if [ $? = 0 ]; then
        rm_daemon $DAEMON
        stat_done
    else
        stat_fail
        exit 1
    fi
    ;;
restart)
    $0 stop
    sleep 1
    $0 start
    ;;
status)
    stat_busy "Checking $name status";
    ck_status $name
    ;;
*)
    echo "usage: $0 {start|stop|restart|status}"
esac
Server instance: clio-11851 This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3. – Support