如何在 Flask 中安全地获取用户的真实 IP 地址(使用 mod_wsgi)? [英] How do I safely get the user's real IP address in Flask (using mod_wsgi)?

问题描述

我在 mod_wsgi/Apache 上设置了一个 Flask 应用程序，需要记录用户的 IP 地址.request.remote_addr 返回127.0.0.1"，此修复尝试纠正但我发现 Django 出于安全原因删除了类似的代码.

I have a flask app setup on mod_wsgi/Apache and need to log the IP Address of the user. request.remote_addr returns "127.0.0.1" and this fix attempts to correct that but I've found that Django removed similar code for security reasons.

是否有更好的方法来安全地获取用户的真实 IP 地址?

Is there a better way to safely get the user's real IP address?

也许我遗漏了一些明显的东西.我应用了 werkzeug's/Flask's fix 但似乎没有当我尝试更改标头的请求时有所作为:

Maybe I'm missing something obvious. I applied werkzeug's/Flask's fix but it doesn't seem to make a difference when I try a request with altered headers:

run.py:

    from werkzeug.contrib.fixers import ProxyFix
    app.wsgi_app = ProxyFix(app.wsgi_app)
    app.run()

view.py:

for ip in request.access_route:
        print ip # prints "1.2.3.4" and "my.ip.address"

无论我是否启用了 ProxyFix，都会发生同样的结果.我觉得我错过了一些完全明显的东西

This same result happens if I have the ProxyFix enabled or not. I feel like I'm missing something completely obvious

推荐答案

您可以使用 request.access_route 属性 仅当您定义了可信 代理列表.

You can use the request.access_route attribute only if you define a list of trusted proxies.

access_route 属性使用 X-Forwarded-For 标头，回退到 REMOTE_ADDR WSGI 变量；后者很好，因为您的服务器确定了这一点；X-Forwarded-For 几乎可以由任何人设置，但是如果您相信代理可以正确设置该值，那么请使用第一个(从末尾开始)不是 信任:

The access_route attribute uses the X-Forwarded-For header, falling back to the REMOTE_ADDR WSGI variable; the latter is fine as your server determines this; the X-Forwarded-For could have been set by just about anyone, but if you trust a proxy to set the value correctly, then use the first one (from the end) that is not trusted:

trusted_proxies = {'127.0.0.1'}  # define your own set
route = request.access_route + [request.remote_addr]

remote_addr = next((addr for addr in reversed(route) 
                    if addr not in trusted_proxies), request.remote_addr)

这样，即使有人用fake_ip1,fake_ip2来欺骗X-Forwarded-For标头，代理服务器也会添加,spoof_machine_ip到最后，上面的代码会设置remote_addr为spoof_machine_ip，不管除了你最外层的代理还有多少可信代理.

That way, even if someone spoofs the X-Forwarded-For header with fake_ip1,fake_ip2, the proxy server will add ,spoof_machine_ip to the end, and the above code will set the remote_addr to spoof_machine_ip, no matter how many trusted proxies there are in addition to your outermost proxy.

这是您链接的文章谈到的白名单方法(简而言之，Rails 使用它)，以及什么 Zope 于 11 年前实施.

This is the whitelist approach your linked article talks about (briefly, in that Rails uses it), and what Zope implemented over 11 years ago.

您的 ProxyFix 方法运行良好，但您误解了它的作用.它only 设置request.remote_addr；request.access_route 属性未更改(X-Forwarded-For 标头未由中间件调整).但是，我会非常警惕盲目地计算代理.

Your ProxyFix approach works just fine, but you misunderstood what it does. It only sets request.remote_addr; the request.access_route attribute is unchanged (the X-Forwarded-For header is not adjusted by the middleware). However, I'd be very wary of blindly counting off proxies.

对中间件应用相同的白名单方法看起来像:

Applying the same whitelist approach to the middleware would look like:

class WhitelistRemoteAddrFix(object):
    """This middleware can be applied to add HTTP proxy support to an
    application that was not designed with HTTP proxies in mind.  It
    only sets `REMOTE_ADDR` from `X-Forwarded` headers.

    Tests proxies against a set of trusted proxies.

    The original value of `REMOTE_ADDR` is stored in the WSGI environment
    as `werkzeug.whitelist_remoteaddr_fix.orig_remote_addr`.

    :param app: the WSGI application
    :param trusted_proxies: a set or sequence of proxy ip addresses that can be trusted.
    """

    def __init__(self, app, trusted_proxies=()):
        self.app = app
        self.trusted_proxies = frozenset(trusted_proxies)

    def get_remote_addr(self, remote_addr, forwarded_for):
        """Selects the new remote addr from the given list of ips in
        X-Forwarded-For.  Picks first non-trusted ip address.
        """

        if remote_addr in self.trusted_proxies:
            return next((ip for ip in reversed(forwarded_for)
                         if ip not in self.trusted_proxies),
                        remote_addr)

    def __call__(self, environ, start_response):
        getter = environ.get
        remote_addr = getter('REMOTE_ADDR')
        forwarded_for = getter('HTTP_X_FORWARDED_FOR', '').split(',')
        environ.update({
            'werkzeug.whitelist_remoteaddr_fix.orig_remote_addr': remote_addr,
        })
        forwarded_for = [x for x in [x.strip() for x in forwarded_for] if x]
        remote_addr = self.get_remote_addr(remote_addr, forwarded_for)
        if remote_addr is not None:
            environ['REMOTE_ADDR'] = remote_addr
        return self.app(environ, start_response)

明确地说:这个中间件也是，只设置request.remote_addr；request.access_route 不受影响.

To be explicit: this middleware too, only sets request.remote_addr; request.access_route remains unaffected.

这篇关于如何在 Flask 中安全地获取用户的真实 IP 地址(使用 mod_wsgi)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！