[or-cvs] r13491: Implement bridgedb feature to take IPs from X-Forwarded-For (in bridgedb/trunk: . lib/bridgedb)

Wed Feb 13 15:08:58 UTC 2008

Author: nickm
Date: 2008-02-13 10:08:58 -0500 (Wed, 13 Feb 2008)
New Revision: 13491

Modified:
   bridgedb/trunk/
   bridgedb/trunk/bridgedb.conf
   bridgedb/trunk/lib/bridgedb/Main.py
   bridgedb/trunk/lib/bridgedb/Server.py
Log:
 r18063 at catbus:  nickm | 2008-02-13 10:08:53 -0500
 Implement bridgedb feature to take IPs from X-Forwarded-For headers



Property changes on: bridgedb/trunk
___________________________________________________________________
 svk:merge ticket from /bridgedb/trunk [r18063] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: bridgedb/trunk/bridgedb.conf
===================================================================

--- bridgedb/trunk/bridgedb.conf	2008-02-13 15:08:45 UTC (rev 13490)
+++ bridgedb/trunk/bridgedb.conf	2008-02-13 15:08:58 UTC (rev 13491)
@@ -50,9 +50,15 @@
 HTTPS_CERT_FILE="cert"
 # Private key file.
 HTTPS_KEY_FILE="privkey.pem"
-# IP and port to listen on for unencrypted HTTP connections. Debugging only.
+# If true, there is a trusted proxy relaying incoming messages to us: take
+# the *last* entry from its X-Forwarded-For header as the client's IP.
+HTTPS_USE_IP_FROM_FORWARDED_HEADER = False
+
+# IP and port to listen on for unencrypted HTTP connections.
 HTTP_UNENCRYPTED_BIND_IP=None
 HTTP_UNENCRYPTED_PORT=None
+# As HTTPS_USE_IP_FROM_FORWARDED_HEADER, but for unencrypted connections.
+HTTP_USE_IP_FROM_FORWARDED_HEADER = False
 # How many bridges do we give back in an answer?
 HTTPS_N_BRIDGES_PER_ANSWER=3
 

Modified: bridgedb/trunk/lib/bridgedb/Main.py
===================================================================
--- bridgedb/trunk/lib/bridgedb/Main.py	2008-02-13 15:08:45 UTC (rev 13490)
+++ bridgedb/trunk/lib/bridgedb/Main.py	2008-02-13 15:08:58 UTC (rev 13491)
@@ -49,8 +49,10 @@
     HTTPS_PORT=6789,
     HTTPS_CERT_FILE="cert",
     HTTPS_KEY_FILE="privkey.pem",
+    HTTPS_USE_IP_FROM_FORWARDED_HEADER=0,
     HTTP_UNENCRYPTED_BIND_IP=None,
     HTTP_UNENCRYPTED_PORT=6788,
+    HTTP_USE_IP_FROM_FORWARDED_HEADER=1,
     HTTPS_N_BRIDGES_PER_ANSWER=2,
 
     EMAIL_DIST = True,

Modified: bridgedb/trunk/lib/bridgedb/Server.py
===================================================================
--- bridgedb/trunk/lib/bridgedb/Server.py	2008-02-13 15:08:45 UTC (rev 13490)
+++ bridgedb/trunk/lib/bridgedb/Server.py	2008-02-13 15:08:58 UTC (rev 13491)
@@ -76,7 +76,7 @@
        bridges in response to a request."""
     isLeaf = True
 
-    def __init__(self, distributor, schedule, N=1):
+    def __init__(self, distributor, schedule, N=1, useForwardedHeader=False):
         """Create a new WebResource.
              distributor -- an IPBasedDistributor object
              schedule -- an IntervalSchedule object
@@ -86,12 +86,25 @@
         self.distributor = distributor
         self.schedule = schedule
         self.nBridgesToGive = N
+        self.useForwardedHeader = useForwardedHeader
 
     def render_GET(self, request):
         interval = self.schedule.getInterval(time.time())
-        ip = request.getClientIP()
-        bridges = self.distributor.getBridgesForIP(ip, interval,
-                                                   self.nBridgesToGive)
+        bridges = ( )
+        ip = None
+        if self.useForwardedHeader:
+            h = request.getHeader("X-Forwarded-For")
+            if h:
+                ip = h.split(",")[-1].strip()
+                if not bridgedb.Bridges.is_valid_ip(ip):
+                    logging.warn("Got weird forwarded-for value %r",h)
+                    ip = None
+        else:
+            ip = request.getClientIP()
+
+        if ip:
+            bridges = self.distributor.getBridgesForIP(ip, interval,
+                                                       self.nBridgesToGive)
         if bridges:
             answer = "".join("%s\n" % b.getConfigLine() for b in bridges)
         else:
@@ -106,16 +119,20 @@
                 HTTPS_N_BRIDGES_PER_ANSWER
                 HTTP_UNENCRYPTED_PORT
                 HTTP_UNENCRYPTED_BIND_IP
+                HTTP_USE_IP_FROM_FORWARDED_HEADER
                 HTTPS_PORT
                 HTTPS_BIND_IP
+                HTTPS_USE_IP_FROM_FORWARDED_HEADER
          dist -- an IPBasedDistributor object.
          sched -- an IntervalSchedule object.
     """
     Site = twisted.web.server.Site
-    resource = WebResource(dist, sched, cfg.HTTPS_N_BRIDGES_PER_ANSWER)
-    site = Site(resource)
+    site = None
     if cfg.HTTP_UNENCRYPTED_PORT:
         ip = cfg.HTTP_UNENCRYPTED_BIND_IP or ""
+        resource = WebResource(dist, sched, cfg.HTTPS_N_BRIDGES_PER_ANSWER,
+                               cfg.HTTP_USE_IP_FROM_FORWARDED_HEADER)
+        site = Site(resource)
         reactor.listenTCP(cfg.HTTP_UNENCRYPTED_PORT, site, interface=ip)
     if cfg.HTTPS_PORT:
         from twisted.internet.ssl import DefaultOpenSSLContextFactory
@@ -123,6 +140,9 @@
         ip = cfg.HTTPS_BIND_IP or ""
         factory = DefaultOpenSSLContextFactory(cfg.HTTPS_KEY_FILE,
                                                cfg.HTTPS_CERT_FILE)
+        resource = WebResource(dist, sched, cfg.HTTPS_N_BRIDGES_PER_ANSWER,
+                               cfg.HTTPS_USE_IP_FROM_FORWARDED_HEADER)
+        site = Site(resource)
         reactor.listenSSL(cfg.HTTPS_PORT, site, factory, interface=ip)
     return site
 

