core/homeassistant/components/http/real_ip.py

"""Middleware to fetch real IP."""
from ipaddress import ip_address

from aiohttp.hdrs import X_FORWARDED_FOR
from aiohttp.web import middleware

from homeassistant.core import callback

from .const import KEY_REAL_IP

# mypy: allow-untyped-defs


@callback
def setup_real_ip(app, use_x_forwarded_for, trusted_proxies):
    """Create IP Ban middleware for the app."""

    @middleware
    async def real_ip_middleware(request, handler):
        """Real IP middleware."""
        connected_ip = ip_address(request.transport.get_extra_info("peername")[0])
        request[KEY_REAL_IP] = connected_ip

        # Only use the XFF header if enabled, present, and from a trusted proxy
        try:
            if (
                use_x_forwarded_for
                and X_FORWARDED_FOR in request.headers
                and any(
                    connected_ip in trusted_proxy for trusted_proxy in trusted_proxies
                )
            ):
                request[KEY_REAL_IP] = ip_address(
                    request.headers.get(X_FORWARDED_FOR).split(", ")[-1]
                )
        except ValueError:
            pass

        return await handler(request)

    app.middlewares.append(real_ip_middleware)
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Middleware to fetch real IP."""`
			`from ipaddress import ip_address`

			`from aiohttp.hdrs import X_FORWARDED_FOR`
Update file header (#21061) * Update file header * Fix lint issue * Fix lint issue 2019-02-14 15:01:46 +00:00			`from aiohttp.web import middleware`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
			`from homeassistant.core import callback`

			`from .const import KEY_REAL_IP`

Type check various base components (#25878) * Type check various component base classes, disabling bunch of checks for now * Type hint fixes * Help mypy out some * Add more type hints 2019-08-12 03:38:18 +00:00			`# mypy: allow-untyped-defs`


Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`@callback`
X-Forwarded-For improvements and bug fixes (#15204) * Use new trusted_proxies setting for X-Forwarded-For whitelist * Only use the last IP in the header Per Wikipedia (https://en.wikipedia.org/wiki/X-Forwarded-For#Format): > The last IP address is always the IP address that connects to the last proxy, > which means it is the most reliable source of information. * Add two additional tests * Ignore nonsense header values instead of failing 2018-06-29 20:27:06 +00:00			`def setup_real_ip(app, use_x_forwarded_for, trusted_proxies):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Create IP Ban middleware for the app."""`
Black 2019-07-31 19:25:30 +00:00
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`@middleware`
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`async def real_ip_middleware(request, handler):`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00			`"""Real IP middleware."""`
Black 2019-07-31 19:25:30 +00:00			`connected_ip = ip_address(request.transport.get_extra_info("peername")[0])`
Only use the X-Forwarded-For header if connection is from a trusted network (#15182) See https://github.com/home-assistant/home-assistant/issues/14345#issuecomment-400854569 2018-06-28 13:16:11 +00:00			`request[KEY_REAL_IP] = connected_ip`

			`# Only use the XFF header if enabled, present, and from a trusted proxy`
X-Forwarded-For improvements and bug fixes (#15204) * Use new trusted_proxies setting for X-Forwarded-For whitelist * Only use the last IP in the header Per Wikipedia (https://en.wikipedia.org/wiki/X-Forwarded-For#Format): > The last IP address is always the IP address that connects to the last proxy, > which means it is the most reliable source of information. * Add two additional tests * Ignore nonsense header values instead of failing 2018-06-29 20:27:06 +00:00			`try:`
Black 2019-07-31 19:25:30 +00:00			`if (`
			`use_x_forwarded_for`
			`and X_FORWARDED_FOR in request.headers`
			`and any(`
			`connected_ip in trusted_proxy for trusted_proxy in trusted_proxies`
			`)`
			`):`
X-Forwarded-For improvements and bug fixes (#15204) * Use new trusted_proxies setting for X-Forwarded-For whitelist * Only use the last IP in the header Per Wikipedia (https://en.wikipedia.org/wiki/X-Forwarded-For#Format): > The last IP address is always the IP address that connects to the last proxy, > which means it is the most reliable source of information. * Add two additional tests * Ignore nonsense header values instead of failing 2018-06-29 20:27:06 +00:00			`request[KEY_REAL_IP] = ip_address(`
Black 2019-07-31 19:25:30 +00:00			`request.headers.get(X_FORWARDED_FOR).split(", ")[-1]`
			`)`
X-Forwarded-For improvements and bug fixes (#15204) * Use new trusted_proxies setting for X-Forwarded-For whitelist * Only use the last IP in the header Per Wikipedia (https://en.wikipedia.org/wiki/X-Forwarded-For#Format): > The last IP address is always the IP address that connects to the last proxy, > which means it is the most reliable source of information. * Add two additional tests * Ignore nonsense header values instead of failing 2018-06-29 20:27:06 +00:00			`except ValueError:`
			`pass`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
Move HomeAssistantView to separate file. Convert http to async syntax. [skip ci] (#12982) * Move HomeAssistantView to separate file. Convert http to async syntax. * pylint * websocket api * update emulated_hue for async/await * Lint 2018-03-09 01:51:49 +00:00			`return await handler(request)`
Cleanup http (#12424) * Clean up HTTP component * Clean up HTTP mock * Remove unused import * Fix test * Lint 2018-02-15 21:06:14 +00:00
Use proper signals (#18613) * Emulated Hue not use deprecated handler * Remove no longer needed workaround * Add middleware directly * Dont always load the ban config file * Update homeassistant/components/http/ban.py Co-Authored-By: balloob <paulus@home-assistant.io> * Update __init__.py 2018-11-21 19:55:21 +00:00			`app.middlewares.append(real_ip_middleware)`