WebFaction fixes middleware

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
class WebFactionFixes(object):
    """
    Middleware that applies some fixes for people using
    the WebFaction hosting provider.  In particular:

    * sets 'REMOTE_ADDR' based on 'HTTP_X_FORWARDED_FOR', if the
      latter is set.

    * Monkey patches request.is_secure() to respect HTTP_X_FORWARDED_SSL.

      ***PLEASE NOTE*** that this is not secure, since a user or an
      active network attacker could set X-Forwarded-SSL manually and the 
      main WebFaction Apache/nginx instance does not remove it, so it will
      appear to be a secure request when it is not.

      For some applications, this could be a critical security flaw. For 
      example, if users typical type in yourdomain.com into browsers, which
      will be HTTP by default and your app is supposed to redirect this to
      HTTPS, an active MITM attacher could add the X-Forwarded-Ssl header,
      causing the connection to procede over HTTP, leaking all your
      sensitive information.

      In this scenario, this middleware will be useful in protecting against
      passive network attackers, but not active network attackers.

      WebFaction currently have no work-around for this flaw, AFAIK.
    
    """
    def process_request(self, request):
        # Fix REMOTE_ADDR
        try:
            real_ip = request.META['HTTP_X_FORWARDED_FOR']
        except KeyError:
            pass
        else:
            # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. The
            # client's IP will be the first one.
            real_ip = real_ip.split(",")[0].strip()
            request.META['REMOTE_ADDR'] = real_ip

        # Fix HTTPS
        if 'HTTP_X_FORWARDED_SSL' in request.META:
            request.is_secure = lambda: request.META['HTTP_X_FORWARDED_SSL'] == 'on'

More like this

  1. Middleware to log username into apache logs with mod_python by kahless 7 years, 1 month ago
  2. Log Django exceptions to Apache error log in mod_wsgi by simon 4 years, 7 months ago
  3. reset django password by hugogee 2 years, 7 months ago
  4. Python fixup handler for Apache by ofalk 4 years, 10 months ago
  5. apache authentication via cookies by sean 7 years, 1 month ago

Comments

pingyip (on September 2, 2009):

Spookylukey,

thanks for the patch. It works! I would think WF should post this as part of their installation/setup instruction for django. After all, https and django are not such a rare combination. Have you considered alerting the webfaction folks?

thanks again.

#

spookylukey (on September 3, 2009):

Cheers pingyip, I've done so now.

#

wf_sean (on December 10, 2010):

It's worth noting that WebFaction recommmends mod_wsgi for Django deployment, and our current mod_wsgi based installers set the HTTPS environment variable properly so the HTTP_X_FORWARDED_SSL bit isn't required.

#

(Forgotten your password?)