From 92bdb24bff7c29bb57f33d4ecf1707026b2d874c Mon Sep 17 00:00:00 2001 From: "Peter A. Jonsson" Date: Wed, 20 Nov 2024 06:06:45 +0100 Subject: [PATCH] Add proxy fix header handling for X-Forwarded-For etc. (#1090) * Fix spelling * Add proxy fix header handling for X-Forwarded-For etc. * Add docs * Fix spelling --------- Co-authored-by: Alex --- datacube_ows/ogc.py | 12 +++++++++++- datacube_ows/startup_utils.py | 9 +++++++++ docs/environment_variables.rst | 8 ++++++++ wordlist.txt | 2 ++ 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/datacube_ows/ogc.py b/datacube_ows/ogc.py index b4e6bd81d..d92df3152 100644 --- a/datacube_ows/ogc.py +++ b/datacube_ows/ogc.py @@ -18,7 +18,14 @@ lower_get_args, resp_headers) from datacube_ows.ows_configuration import get_config from datacube_ows.protocol_versions import supported_versions -from datacube_ows.startup_utils import * # pylint: disable=wildcard-import,unused-wildcard-import +from datacube_ows.startup_utils import (initialise_aws_credentials, + initialise_babel, initialise_debugging, + initialise_flask, + initialise_ignorable_warnings, + initialise_logger, + initialise_prometheus, + initialise_sentry, parse_config_file, + proxy_fix) from datacube_ows.wcs1 import WCS_REQUESTS from datacube_ows.wms import WMS_REQUESTS @@ -43,6 +50,9 @@ # (controlled by environment variables) metrics = initialise_prometheus(app, _LOG) +# Add middleware to fix proxy headers, controlled by environment variables +app = proxy_fix(app, _LOG) + # Protocol/Version lookup table OWS_SUPPORTED = supported_versions() diff --git a/datacube_ows/startup_utils.py b/datacube_ows/startup_utils.py index 468f897a5..0c95339a1 100644 --- a/datacube_ows/startup_utils.py +++ b/datacube_ows/startup_utils.py @@ -209,6 +209,15 @@ def initialise_prometheus(app, log=None): return metrics return FakeMetrics() +def proxy_fix(app, log=None): + # Proxy Fix, to respect X-Forwarded-For headers + if os.environ.get("PROXY_FIX", False): + from werkzeug.middleware.proxy_fix import ProxyFix + app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1) + if log is not None: + log.info("ProxyFix was enabled") + return app + def request_extractor(): qreq = request.args.get('request') return qreq diff --git a/docs/environment_variables.rst b/docs/environment_variables.rst index 84f3816ae..a5d8585d5 100644 --- a/docs/environment_variables.rst +++ b/docs/environment_variables.rst @@ -99,6 +99,14 @@ prometheus_multiproc_dir: The `Prometheus event monitoring system `_ is activated by setting this lower case environment variable. +PROXY_FIX: + If ``$PROXY_FIX`` is set to "true", "yes", "on" or "1", the Flask application will trust the + X-Forwarded-For and other headers from a proxy server. + + This is useful when running behind a reverse proxy server such as Nginx or CloudFront. + + NEVER use in production without a reverse proxy server. + Dev Tools --------- diff --git a/wordlist.txt b/wordlist.txt index 5a0c9eb90..2d837ec55 100644 --- a/wordlist.txt +++ b/wordlist.txt @@ -92,6 +92,7 @@ coverages cp createdb credentialling +christophfriedrich crs crss CRSs @@ -263,6 +264,7 @@ multiproduct mv mysecretpassword namespace +NaNs natively ncols ndays