Improve ProxyHeadersMiddleware

[pypae]

Summary
This PR addresses multiple issues mentioned in #1068 to improve the ProxyHeadersMiddleware.

• 🐛 Fix the host for requests from clients running on the proxy server itself. (The main issue)
• 🐛 Fallback to host that was already set for empty x-forwarded-for headers. (Mentioned by @b0g3r)
• ✨ Also allow to specify IP ranges in CIDR notation as trusted hosts. (Mentioned by @jalaziz) This greatly simplifies deployments on docker swarm / kubernetes, where the reverse proxy might have a dynamic IP.

[pypae]

@b0g3r I don't fully grasp your third issue:

• It doesn't check request_addr like it is one of the proxies. It means that hacker who has direct network access to the server can impersonate IPs (example)

Isn't this covered by the following line?

uvicorn/uvicorn/middleware/proxy_headers.py

Line 81 in 6947d19

if client_host in self.trusted_hosts:

[pypae]

Is this a feature that you would like to see merged? Can we do anything on our side?

For the time being, we're using this middleware outside of uvicorn.
For anyone coming across the same issue: Just copy the code, manually add it as a middleware and disable proxy headers in uvicorn. (For example by setting the environment variable UVICORN_PROXY_HEADERS=False)

[purplesyringa]

As a side note -- would it be reasonable to add support for X-Forwarded-Host and X-Forwarded-Port, like Werkzeug does? (There's also X-Forwarded-Prefix, but I'm not familiar enough with Quart to know if that would be the right place to handle it)

UPD: Actually, that would be #965. Also, docs mention X-Forwarded-Port but it doesn't seem to be handled anywhere in the code, as far as I can see.

[Kludex]

Can we have a test case for this?

[Kludex]

Can this be reached? What's the scenario?

[Kludex]

I think we may need to add more strategic comments on this PR, since it's not trivial to follow. 😅

Ref.: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

[Kludex]

@pypae Are you still interested in this PR?

[pypae]

Are you still interested in this PR?

Yes, I still think this feature could be of use for many users. I'll have another look at it later this week and add some strategic comments.

[Kludex]

👋 🏃 💨

[Kludex]

@pypae Are you still interested in this PR?

[amadeuszhercog-ocado]

Hello @Kludex @pypae I hope you're doing well. I'm also interested in this functionality. Currently in our code we have to do this manually, and it would be very nice to have the out-of-the-box mechanism in uvicorn.

@pypae are you planning to further work on this functionality?

If not, are you @Kludex planning to take over and finish this pull request? Or are you going to close it without merging?

[Kludex]

I'm waiting for the author here. If someone wants to take over, feel free to do it. I'm not closing this PR anyway.

I need my review comments to be replied.

[gonchik]

It will be nice to have it. :)

[nhairs]

Since it's been 10 months since the last activity from @pypae I'd be willing to pick this up and try finish it off.

Apart from the outstanding comments in the code is there anything I should be aware of @Kludex? (This would also be my first time contributing to uvicorn if you have info on that).

[nhairs]

Is there a reason for using IPv4Network instead of ipaddress.ip_network which is version agnostic?

[nhairs]

Is there a reason we're using IPv4Address instead of ipaddress.ip_address which is version agnostic?

[Kludex]

Nothing to add. Go ahead. 🙏

[nhairs]

For those subscribed - I've started a new PR #2231

[Kludex]

• Let's continue on Improve ProxyHeadersMiddleware #2231.

[gonchik]

Thanks @Kludex