Add ProxyFix middleware

This allows for Hypercorn to be used behind a proxy with the headers being "fixed" such that the proxy is not present as far as the app is concerned. This makes it easier to write applications that run behind proxies. Note I've defaulted to legacy mode as AWS's load balancers don't support the modern Forwarded header and I assume that makes up a large percentage of real world usage.
pgjones · Dec 28, 2023 · 4fc0372 · apollo13 · Dec 31, 2023 · pgjones
1 parent 2d2c62b
commit 4fc0372
Show file tree

Hide file tree

Showing 5 changed files with 178 additions and 0 deletions.
diff --git a/docs/how_to_guides/index.rst b/docs/how_to_guides/index.rst
@@ -11,6 +11,7 @@ How to guides
    dispatch_apps.rst
    http_https_redirect.rst
    logging.rst
+   proxy_fix.rst
    server_names.rst
    statsd.rst
    wsgi_apps.rst
diff --git a/docs/how_to_guides/proxy_fix.rst b/docs/how_to_guides/proxy_fix.rst
@@ -0,0 +1,33 @@
+Fixing proxy headers
+====================
+
+If you are serving Hypercorn behind a proxy e.g. a load balancer the
+client-address, scheme, and host-header will match that of the
+connection between the proxy and Hypercorn rather than the user-agent
+(client). However, most proxies provide headers with the original
+user-agent (client) values which can be used to "fix" the headers to
+these values.
+
+Modern proxies should provide this information via a ``Forwarded``
+header from `RFC 7239
+<https://datatracker.ietf.org/doc/html/rfc7239>`_. However, this is
+rare in practice with legacy proxies using a combination of
+``X-Forwarded-For``, ``X-Forwarded-Proto`` and
+``X-Forwarded-Host``. It is important that you chose the correct mode
+(legacy, or modern) based on the proxy you use.
+
+To use the proxy fix middleware behind a single legacy proxy simply
+wrap your app and serve the wrapped app,
+
+.. code-block:: python
+
+    from hypercorn.middleware import ProxyFixMiddleware
+
+    fixed_app = ProxyFixMiddleware(app, mode="legacy", trusted_hops=1)
+
+.. warning::
+
+    The mode and number of trusted hops must match your setup or the
+    user-agent (client) may be trusted and hence able to set
+    alternative for, proto, and host values. This can, depending on
+    your usage in the app, lead to security vulnerabilities.
diff --git a/src/hypercorn/middleware/__init__.py b/src/hypercorn/middleware/__init__.py
@@ -2,11 +2,13 @@
 
 from .dispatcher import DispatcherMiddleware
 from .http_to_https import HTTPToHTTPSRedirectMiddleware
+from .proxy_fix import ProxyFixMiddleware
 from .wsgi import AsyncioWSGIMiddleware, TrioWSGIMiddleware
 
 __all__ = (
     "AsyncioWSGIMiddleware",
     "DispatcherMiddleware",
     "HTTPToHTTPSRedirectMiddleware",
+    "ProxyFixMiddleware",
     "TrioWSGIMiddleware",
 )
diff --git a/src/hypercorn/middleware/proxy_fix.py b/src/hypercorn/middleware/proxy_fix.py
@@ -0,0 +1,78 @@
+from __future__ import annotations
+
+from copy import deepcopy
+from typing import Callable, Iterable, Literal, Optional, Tuple
+
+from ..typing import ASGIFramework, Scope
+
+
+class ProxyFixMiddleware:
+    def __init__(
+        self,
+        app: ASGIFramework,
+        mode: Literal["legacy", "modern"] = "legacy",
+        trusted_hops: int = 1,
+    ) -> None:
+        self.app = app
+        self.mode = mode
+        self.trusted_hops = trusted_hops
+
+    async def __call__(self, scope: Scope, receive: Callable, send: Callable) -> None:
+        if scope["type"] in {"http", "websocket"}:
+            scope = deepcopy(scope)
+            headers = scope["headers"]  # type: ignore
+            client: Optional[str] = None
+            scheme: Optional[str] = None
+            host: Optional[str] = None
+
+            if (
+                self.mode == "modern"
+                and (value := _get_trusted_value(b"forwarded", headers, self.trusted_hops))
+                is not None
+            ):
+                for part in value.split(";"):
+                    if part.startswith("for="):
+                        client = part[4:].strip()
+                    elif part.startswith("host="):
+                        host = part[5:].strip()
+                    elif part.startswith("proto="):
+                        scheme = part[6:].strip()
+
+            else:
+                client = _get_trusted_value(b"x-forwarded-for", headers, self.trusted_hops)
+                scheme = _get_trusted_value(b"x-forwarded-proto", headers, self.trusted_hops)
+                host = _get_trusted_value(b"x-forwarded-host", headers, self.trusted_hops)
+
+            if client is not None:
+                scope["client"] = (client, 0)  # type: ignore
+
+            if scheme is not None:
+                scope["scheme"] = scheme  # type: ignore
+
+            if host is not None:
+                headers = [
+                    (name, header_value)
+                    for name, header_value in headers
+                    if name.lower() != b"host"
+                ]
+                headers.append((b"host", host))
+                scope["headers"] = headers  # type: ignore
+
+        await self.app(scope, receive, send)
+
+
+def _get_trusted_value(
+    name: bytes, headers: Iterable[Tuple[bytes, bytes]], trusted_hops: int
+) -> Optional[str]:
+    if trusted_hops == 0:
+        return None
+
+    values = []
+    for header_name, header_value in headers:
+        if header_name.lower() == name:
+            values.extend([value.decode("latin1").strip() for value in header_value.split(b",")])
+
+    if len(values) >= trusted_hops:
+        return values[-trusted_hops]
+
+    return None
diff --git a/tests/middleware/test_proxy_fix.py b/tests/middleware/test_proxy_fix.py
@@ -0,0 +1,64 @@
+from __future__ import annotations
+
+from unittest.mock import AsyncMock
+
+import pytest
+
+from hypercorn.middleware import ProxyFixMiddleware
+from hypercorn.typing import HTTPScope
+
+
+@pytest.mark.asyncio
+async def test_proxy_fix_legacy() -> None:
+    mock = AsyncMock()
+    app = ProxyFixMiddleware(mock)
+    scope: HTTPScope = {
+        "type": "http",
+        "asgi": {},
+        "http_version": "2",
+        "method": "GET",
+        "scheme": "http",
+        "path": "/",
+        "raw_path": b"/",
+        "query_string": b"",
+        "root_path": "",
+        "headers": [
+            (b"x-forwarded-for", b"127.0.0.1"),
+            (b"x-forwarded-for", b"127.0.0.2"),
+            (b"x-forwarded-proto", b"http,https"),
+        ],
+        "client": ("127.0.0.3", 80),
+        "server": None,
+        "extensions": {},
+    }
+    await app(scope, None, None)
+    mock.assert_called()
+    assert mock.call_args[0][0]["client"] == ("127.0.0.2", 0)
+    assert mock.call_args[0][0]["scheme"] == "https"
+
+
+@pytest.mark.asyncio
+async def test_proxy_fix_modern() -> None:
+    mock = AsyncMock()
+    app = ProxyFixMiddleware(mock, mode="modern")
+    scope: HTTPScope = {
+        "type": "http",
+        "asgi": {},
+        "http_version": "2",
+        "method": "GET",
+        "scheme": "http",
+        "path": "/",
+        "raw_path": b"/",
+        "query_string": b"",
+        "root_path": "",
+        "headers": [
+            (b"forwarded", b"for=127.0.0.1;proto=http,for=127.0.0.2;proto=https"),
+        ],
+        "client": ("127.0.0.3", 80),
+        "server": None,
+        "extensions": {},
+    }
+    await app(scope, None, None)
+    mock.assert_called()
+    assert mock.call_args[0][0]["client"] == ("127.0.0.2", 0)
+    assert mock.call_args[0][0]["scheme"] == "https"