Use Forwarded, X-Forwarded-Scheme and X-Forwarded-Host for better scheme and host resolution

[evertlammerts]

What do these changes do?

They enhance the resolution mechanism for scheme and host in aiohttp.web_request.Baserequest.

The scheme is resolved based on:

• the currently used transport
• the secure_proxy_ssl_header argument of BaseRequest.__init__
• the Forwarded header
• the X-Forwarded-Proto header

in that order.

The host is resolved based on:

• the Forwarded header
• the X-Forwarded-Host header
• the Host header

in that order.

Are there changes in behavior for the user?

This PR does not include changes in the contract.

Related issue number

#1134 Support X-Forwarded-* and Forwarded implicitly, deprecate secure_proxy_ssl_header.

Checklist

• I think the code is well written
• Unit tests for the changes exist
• Documentation reflects the changes
• If you provide code modification, please add yourself to CONTRIBUTORS.txt
  • The format is <Name> <Surname>.
  • Please keep alphabetical order, the file is sorted by names.
• Add a new entry to CHANGES.rst
  • Choose any open position to avoid merge conflicts with other PRs.
  • Add a link to the issue you are fixing (if any) using #issue_number format at the end of changelog message. Use Pull Request number if there are no issues for PR or PR covers the issue only partially.

[AraHaan]

PEP8 here. Please split this to 2 lines or more of up to 79 characters per line. For more information on PEP8 see the www.python.org page on PEP8.

[asvetlov]

Implementation looks good on fist glaze.
Let me reread RFC before merging.
I'll add required deprecation records after merging if @evertlammerts has troubles with it.

[evertlammerts]

does c2848ed cover the deprecation of secure_proxy_ssl_header?

[AraHaan]

Seems alright for now.

[evertlammerts]

Ping @asvetlov

[asvetlov]

Sorry, I'm on US PyCon right now and quite busy.

[asvetlov]

https://tools.ietf.org/html/rfc7239 says that Forwarded header could be present several times but the very first occurrence points to host which initiates the request.
@evertlammerts could you add an explicit test for it?

[asvetlov]

I suspect the parser should be more complicated.

The header field value can be
   defined in ABNF syntax as:

       Forwarded   = 1#forwarded-element

       forwarded-element =
           [ forwarded-pair ] *( ";" [ forwarded-pair ] )

       forwarded-pair = token "=" value
       value          = token / quoted-string

       token = <Defined in [RFC7230], Section 3.2.6>
       quoted-string = <Defined in [RFC7230], Section 3.2.6>

It means the forwarded-pair elements could be in random order: by=a; host=b.com and host=b.com, by=a are both valid combinations.
Also value could be optionally quoted, aiohttp shoud unquote it automatically.
pair-name is case-insensitive: all 'Host', 'host', and 'HOst` are valid names:

       Forwarded: for="_gazonk"
       Forwarded: For="[2001:db8:cafe::17]:4711"
       Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
       Forwarded: for=192.0.2.43, for=198.51.100.17

   Note that as ":" and "[]" are not valid characters in "token", IPv6
   addresses are written as "quoted-string".

[asvetlov]

Please note: the lase example contains two for pairs, it's not supported by your regexp now.

[evertlammerts]

😊 I should have been way more thorough. Sorry about this, I will go fix. Thanks for looking into it!

…

On Sat, May 20, 2017 at 7:59 AM, Andrew Svetlov ***@***.***> wrote: ***@***.**** requested changes on this pull request. ------------------------------ In aiohttp/web_request.py <#1881 (comment)>: > @@ -151,15 +151,30 @@ def secure(self): return self.url.scheme == 'https' @reify + def _forwarded(self): + forwarded = self._message.headers.get(hdrs.FORWARDED) + if forwarded is not None: + parsed = re.findall( + r'^by=([^;]*); +for=([^;]*); +host=([^;]*); +proto=(https?)$', I suspect the parser should be more complicated. The header field value can be defined in ABNF syntax as: Forwarded = 1#forwarded-element forwarded-element = [ forwarded-pair ] *( ";" [ forwarded-pair ] ) forwarded-pair = token "=" value value = token / quoted-string token = <Defined in [RFC7230], Section 3.2.6> quoted-string = <Defined in [RFC7230], Section 3.2.6> It means the forwarded-pair elements could be in random order: by=a; host= b.com and host=b.com, by=a are both valid combinations. Also value could be optionally quoted, aiohttp shoud unquote it automatically. pair-name is case-insensitive: all 'Host', 'host', and 'HOst` are valid names: Forwarded: for="_gazonk" Forwarded: For="[2001:db8:cafe::17]:4711" Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17 Note that as ":" and "[]" are not valid characters in "token", IPv6 addresses are written as "quoted-string". ------------------------------ In aiohttp/web_request.py <#1881 (comment)>: > @@ -151,15 +151,30 @@ def secure(self): return self.url.scheme == 'https' @reify + def _forwarded(self): + forwarded = self._message.headers.get(hdrs.FORWARDED) + if forwarded is not None: + parsed = re.findall( + r'^by=([^;]*); +for=([^;]*); +host=([^;]*); +proto=(https?)$', Please note: the lase example contains two for pairs, it's not supported by your regexp now. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1881 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACjx1nCRcX1AMTWrK0Ev9NY-YbwoSrxfks5r7oFTgaJpZM4NYgE5> .

[evertlammerts]

Alright, this actually adds a public forwarded property to BaseRequest. It makes an effort to parse Forwarded headers as specified by the RFC:

• It adds all parameters (by, for, host, proto) in the order it finds them; starting at the topmost / first added 'Forwarded' header, at the leftmost / first-added parameter.
• It checks that the value has valid syntax in general as specified in section 4: either a 'token' or a 'quoted-string'.
• It un-escapes found escape sequences.
• It does NOT validate 'by' and 'for' contents as specified in section 6.
• It does NOT validate 'host' contents (Host ABNF).
• It does NOT validate 'proto' contents for valid URI scheme names.

Don't you think the place for parsing the Forwarded header is rather a middleware? I'm in doubt myself now.

Otherwise, what's a good place for the regex constants? Would be nice to compile the regex only once, but module level doesn't do much for esthetics.

[asvetlov]

I love .req.forwarded property.

No, we don't need a middleware for it.

Global variables for regexps are pretty fine. If you don't like this approach you could put them ad class variables into BaseRequest

[asvetlov]

Don't create a tuple but make a generator comprehension. It saves both time and memory.

[asvetlov]

Please support Forwarded: by=first, by=second form, it's equal to

Forwarded: by=first
Forwarded: by=second

[evertlammerts]

This is supported by the regexes and I've included tests for it

[asvetlov]

Drop this check, iteration over empty forwarded_elm is pretty fine.

[asvetlov]

Drop the check, in is not free.
Use for forwarded_elm in self._message.headers.getall(hdrs.FORWARDED, []) instead

[asvetlov]

IIRC spaces around = are allowed.

[evertlammerts]

I'm not sure but as far as I can see that's not the case. Section 4 only says forwarded-pair = token "=" value and section 7 recalls Note that an HTTP list allows white spaces to occur between the identifiers, and the list may be split over multiple header fields.

[asvetlov]

IMHO it's rare case but still allowed

[asvetlov]

Add a check for value[-1] == '"'

[asvetlov]

If empty value allowed? I mean len(value) == 0.
Also if value: gives the same result as if len(value) but works a bit faster.

[evertlammerts]

There's no need to check for a closing quote: the regex validates quoted-string so any value starting with " must also have a closing ".

A token may be empty (but note again that I don't check the syntax in section 6)

[asvetlov]

I believe the property's type should be MultyDict instead of dict of lists.
It preserves all information about proxies in right order but original host still could be checked as req.forwarded.get('host')

[asvetlov]

return MultiDictProxy(params) -- it's an immutable view.

[asvetlov]

Use MultiDict here instead of dict of pairs. It preserves all information about proxies.

[asvetlov]

Drop previous line, in is not free but getall(hdrs.FORWARDED, ()) does the check using single call to data structure.

[evertlammerts]

I forgot Python < 3.5 doesn't like an arbitrary number of unpackings (*iterable). Just to be certain, is Python >= 3.4.2 still the requirement?

[asvetlov]

Yes, we sill support Python 3.4.2+
Will drop it soon but not right now.
It will be trivial but huge change -- replace all yield from with await :)

[evertlammerts]

I seem to have missed a couple of things:

• field values are separated by comma: my implementation rather assumes that each header has a single field value in which each parameter may occur multiple times (i.e. I allow host=abc; host=def; which is explicitly not allowed and should be host=abc, host=def)
• MultiDict maintains order between values, so I can just use md.add()

Regarding OWS around =, I can't find examples where that is allowed. Actually, I think it isn't allowed around ; either, or at least the ABNF doesn't include OWS or RWS. (Another bug in my regexes.) The only place where it seems to be allowed is the field-value separator (,).

I looked for examples of whitespace around = in other places as well. I can only think of the Content-* (charset=...) and Accept(q=...) headers as ones that also accept key-value pairs and RFC 7231 explicitly doesn't allow whitespace. Why do you think it is allowed? Maybe something to do with clients not being compliant?

I'll do my best to add some more commits later this week. When are you planning the next release, @asvetlov?

[asvetlov]

Ok, I'm convinced regarding to spaces.
But commas and proper multidict usage (md.add(k, v)) should be fixed.
There is no scheduled date for the release.
I love to have this issue in next version and could wait for you for a while if @fafhrd91 agrees with me.

[fafhrd91]

@asvetlov it is your call. I am busy with different project in any case

[evertlammerts]

d1ba86b fixes the last issues, as far as I can see.

• It is now possible to provide multiple field-values (comma separated list) in a single Forwarded header. See the tests / code in d1ba86b for the supported semantics.
• I've fixed the unpacking issue. The patch should be compatible with Python 3.4 now.
• I've fixed an issue with the quoted-pairs regex, for quoted-strings (ie host="something \"escaped\"" now works correctly)

As far as the return type goes, I've changed that to a tuple containing MappingProxies. The semantics of the Forwarded header are so that every proxy may add a Forwarding field-value; by, for, host and proto in any combination, but not multiple times per field-value. When a proxy adds a new Forwarding field-value, it either appends it to an already existing Forwarding header (after a comma) or it adds a new Forwarding header at the bottom. I think it's useful to maintain the information about the order in which proxies added something. So now the result will look something like:

req.forward = (
    MappingProxy({'by': ..., 'for': ...}),  # added by proxy 1
    MappingProxy({'host': '...', 'for': ..., 'proto': ...}),  # added by proxy 2
    # ... etc
)

If a field-value added by a proxy cannot be parsed, the code will add a MappingProxy(dict()) so that users can still see that something is there, and that it was added by a proxy at that point in the chain.

Let me know what you think, @asvetlov.

[asvetlov]

Awesome work @evertlammerts
Very thank you!

[adamcharnock]

For anyone else chasing their tail trying to figure out where this feature has gone, it has been removed and moved into middleware. See here:

#2171 (comment)

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a [new issue] for related bugs.
If you feel like there's important points made in this discussion, please include those exceprts into that [new issue].
[new issue]: https://github.com/aio-libs/aiohttp/issues/new