Let tornado parse xheaders

f6d2776a · Sheng · 88405edd · f6d2776a · f6d2776a · f6d2776a
Commit f6d2776a authored Oct 10, 2018 by Sheng
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 24 deletions

test_handler.py tests/test_handler.py +29 -11

handler.py webssh/handler.py +17 -12

main.py webssh/main.py +2 -1

No files found.
--- a/tests/test_handler.py
+++ b/tests/test_handler.py
@@ -9,25 +9,43 @@ from webssh.handler import MixinHandler, IndexHandler, InvalidValueError
 class TestMixinHandler(unittest.TestCase):
    def test_get_real_client_addr(self):
+        x_forwarded_for = '1.1.1.1'
+        x_forwarded_port = 1111
+        x_real_ip = '2.2.2.2'
+        x_real_port = 2222
+        fake_port = 65535
        handler = MixinHandler()
        handler.request = HTTPServerRequest(uri='/')
+        handler.request.remote_ip = x_forwarded_for
        self.assertIsNone(handler.get_real_client_addr())
-        ip = '127.0.0.1'
+        handler.request.headers.add('X-Forwarded-For', x_forwarded_for)
-        handler.request.headers.add('X-Real-Ip', ip)
+        self.assertEqual(handler.get_real_client_addr(),
-        self.assertEqual(handler.get_real_client_addr(), False)
+                         (x_forwarded_for, fake_port))
+        handler.request.headers.add('X-Forwarded-Port', fake_port + 1)
+        self.assertEqual(handler.get_real_client_addr(),
+                         (x_forwarded_for, fake_port))
+        handler.request.headers['X-Forwarded-Port'] = x_forwarded_port
+        self.assertEqual(handler.get_real_client_addr(),
+                         (x_forwarded_for, x_forwarded_port))
-        handler.request.headers.add('X-Real-Port', '12345x')
+        handler.request.remote_ip = x_real_ip
-        self.assertEqual(handler.get_real_client_addr(), False)
-        handler.request.headers.update({'X-Real-Port': '12345'})
+        handler.request.headers.add('X-Real-Ip', x_real_ip)
-        self.assertEqual(handler.get_real_client_addr(), (ip, 12345))
+        self.assertEqual(handler.get_real_client_addr(),
+                         (x_real_ip, fake_port))
-        handler.request.headers.update({'X-Real-ip': None})
+        handler.request.headers.add('X-Real-Port', fake_port + 1)
-        self.assertEqual(handler.get_real_client_addr(), False)
+        self.assertEqual(handler.get_real_client_addr(),
+                         (x_real_ip, fake_port))
-        handler.request.headers.update({'X-Real-Port': '12345x'})
+        handler.request.headers['X-Real-Port'] = x_real_port
-        self.assertEqual(handler.get_real_client_addr(), False)
+        self.assertEqual(handler.get_real_client_addr(),
+                         (x_real_ip, x_real_port))
 class TestIndexHandler(unittest.TestCase):

--- a/webssh/handler.py
+++ b/webssh/handler.py
@@ -45,19 +45,22 @@ class MixinHandler(object):
        return value
    def get_real_client_addr(self):
-        ip = self.request.headers.get('X-Real-Ip')
+        ip = self.request.remote_ip
-        port = self.request.headers.get('X-Real-Port')
-        if ip is None and port is None:
+        if ip == self.request.headers.get('X-Real-Ip'):
-            return  # suppose this app doesn't run after an nginx server
+            port = self.request.headers.get('X-Real-Port')
+        elif ip in self.request.headers.get('X-Forwarded-For', ''):
+            port = self.request.headers.get('X-Forwarded-Port')
+        else:
+            # not running behind an nginx server
+            return
-        if is_valid_ipv4_address(ip) or is_valid_ipv6_address(ip):
+        port = to_int(port)
-            port = to_int(port)
+        if port is None or not is_valid_port(port):
-            if port and is_valid_port(port):
+            # fake port
-                return (ip, port)
+            port = 65535
-        logging.warning('Bad nginx configuration.')
+        return (ip, port)
-        return False
 class IndexHandler(MixinHandler, tornado.web.RequestHandler):
@@ -94,13 +97,15 @@ class IndexHandler(MixinHandler, tornado.web.RequestHandler):
    def get_privatekey(self):
        name = 'privatekey'
-        lst = self.request.files.get(name)  # multipart form
+        lst = self.request.files.get(name)
        if lst:
+            # multipart form
            self.privatekey_filename = lst[0]['filename']
            data = lst[0]['body']
            value = self.decode_argument(data, name=name).strip()
        else:
-            value = self.get_argument(name, u'')  # urlencoded form
+            # urlencoded form
+            value = self.get_argument(name, u'')
        if len(value) > KEY_MAX_SIZE:
            raise InvalidValueError(

--- a/webssh/main.py
+++ b/webssh/main.py
@@ -28,7 +28,8 @@ def main():
    options.parse_command_line()
    loop = tornado.ioloop.IOLoop.current()
    app = make_app(make_handlers(loop, options), get_app_settings(options))
-    app.listen(options.port, options.address, max_body_size=max_body_size)
+    server_settings = dict(xheaders=True, max_body_size=max_body_size)
+    app.listen(options.port, options.address, **server_settings)
    logging.info('Listening on {}:{}'.format(options.address, options.port))
    loop.start()