24024
af7c11d7f9
- 新增图像生成接口,支持试用、积分和自定义API Key模式 - 实现生成图片结果异步上传至MinIO存储,带重试机制 - 优化积分预扣除和异常退还逻辑,保障用户积分准确 - 添加获取生成历史记录接口,支持时间范围和分页 - 提供本地字典配置接口,支持模型、比例、提示模板和尺寸 - 实现图片批量上传接口,支持S3兼容对象存储 feat(admin): 增加管理员角色管理与权限分配接口 - 实现角色列表查询、角色创建、更新及删除功能 - 增加权限列表查询接口 - 实现用户角色分配接口,便于统一管理用户权限 - 增加系统字典增删查改接口,支持分类过滤和排序 - 权限控制全面覆盖管理接口,保证安全访问 feat(auth): 完善用户登录注册及权限相关接口与页面 - 实现手机号验证码发送及校验功能,保障注册安全 - 支持手机号注册、登录及退出接口,集成日志记录 - 增加修改密码功能,验证原密码后更新 - 提供动态导航菜单接口,基于权限展示不同菜单 - 实现管理界面路由及日志、角色、字典管理页面访问权限控制 - 添加系统日志查询接口,支持关键词和等级筛选 feat(app): 初始化Flask应用并配置蓝图与数据库 - 创建应用程序工厂,加载配置,初始化数据库和Redis客户端 - 注册认证、API及管理员蓝图,整合路由 - 根路由渲染主页模板 - 应用上下文中自动创建数据库表,保证运行环境准备完毕 feat(database): 提供数据库创建与迁移支持脚本 - 新增数据库创建脚本,支持自动检测是否已存在 - 添加数据库表初始化脚本,支持创建和删除所有表 - 实现RBAC权限初始化,包含基础权限和角色创建 - 新增字段手动修复脚本,添加用户API Key和积分字段 - 强制迁移脚本支持清理连接和修复表结构,初始化默认数据及角色分配 feat(config): 新增系统配置参数 - 配置数据库、Redis、Session和MinIO相关参数 - 添加AI接口地址及试用Key配置 - 集成阿里云短信服务配置及开发模式相关参数 feat(extensions): 初始化数据库、Redis和MinIO客户端 - 创建全局SQLAlchemy数据库实例和Redis客户端 - 配置基于boto3的MinIO兼容S3客户端 chore(logs): 添加示例系统日志文件 - 记录用户请求、验证码发送成功与失败的日志信息
184 lines
6.6 KiB
Python
184 lines
6.6 KiB
Python
"""
|
|
X-Forwarded-For Proxy Fix
|
|
=========================
|
|
|
|
This module provides a middleware that adjusts the WSGI environ based on
|
|
``X-Forwarded-`` headers that proxies in front of an application may
|
|
set.
|
|
|
|
When an application is running behind a proxy server, WSGI may see the
|
|
request as coming from that server rather than the real client. Proxies
|
|
set various headers to track where the request actually came from.
|
|
|
|
This middleware should only be used if the application is actually
|
|
behind such a proxy, and should be configured with the number of proxies
|
|
that are chained in front of it. Not all proxies set all the headers.
|
|
Since incoming headers can be faked, you must set how many proxies are
|
|
setting each header so the middleware knows what to trust.
|
|
|
|
.. autoclass:: ProxyFix
|
|
|
|
:copyright: 2007 Pallets
|
|
:license: BSD-3-Clause
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import typing as t
|
|
|
|
from ..http import parse_list_header
|
|
|
|
if t.TYPE_CHECKING:
|
|
from _typeshed.wsgi import StartResponse
|
|
from _typeshed.wsgi import WSGIApplication
|
|
from _typeshed.wsgi import WSGIEnvironment
|
|
|
|
|
|
class ProxyFix:
|
|
"""Adjust the WSGI environ based on ``X-Forwarded-`` that proxies in
|
|
front of the application may set.
|
|
|
|
- ``X-Forwarded-For`` sets ``REMOTE_ADDR``.
|
|
- ``X-Forwarded-Proto`` sets ``wsgi.url_scheme``.
|
|
- ``X-Forwarded-Host`` sets ``HTTP_HOST``, ``SERVER_NAME``, and
|
|
``SERVER_PORT``.
|
|
- ``X-Forwarded-Port`` sets ``HTTP_HOST`` and ``SERVER_PORT``.
|
|
- ``X-Forwarded-Prefix`` sets ``SCRIPT_NAME``.
|
|
|
|
You must tell the middleware how many proxies set each header so it
|
|
knows what values to trust. It is a security issue to trust values
|
|
that came from the client rather than a proxy.
|
|
|
|
The original values of the headers are stored in the WSGI
|
|
environ as ``werkzeug.proxy_fix.orig``, a dict.
|
|
|
|
:param app: The WSGI application to wrap.
|
|
:param x_for: Number of values to trust for ``X-Forwarded-For``.
|
|
:param x_proto: Number of values to trust for ``X-Forwarded-Proto``.
|
|
:param x_host: Number of values to trust for ``X-Forwarded-Host``.
|
|
:param x_port: Number of values to trust for ``X-Forwarded-Port``.
|
|
:param x_prefix: Number of values to trust for
|
|
``X-Forwarded-Prefix``.
|
|
|
|
.. code-block:: python
|
|
|
|
from werkzeug.middleware.proxy_fix import ProxyFix
|
|
# App is behind one proxy that sets the -For and -Host headers.
|
|
app = ProxyFix(app, x_for=1, x_host=1)
|
|
|
|
.. versionchanged:: 1.0
|
|
The ``num_proxies`` argument and attribute; the ``get_remote_addr`` method; and
|
|
the environ keys ``orig_remote_addr``, ``orig_wsgi_url_scheme``, and
|
|
``orig_http_host`` were removed.
|
|
|
|
.. versionchanged:: 0.15
|
|
All headers support multiple values. Each header is configured with a separate
|
|
number of trusted proxies.
|
|
|
|
.. versionchanged:: 0.15
|
|
Original WSGI environ values are stored in the ``werkzeug.proxy_fix.orig`` dict.
|
|
|
|
.. versionchanged:: 0.15
|
|
Support ``X-Forwarded-Port`` and ``X-Forwarded-Prefix``.
|
|
|
|
.. versionchanged:: 0.15
|
|
``X-Forwarded-Host`` and ``X-Forwarded-Port`` modify
|
|
``SERVER_NAME`` and ``SERVER_PORT``.
|
|
"""
|
|
|
|
def __init__(
|
|
self,
|
|
app: WSGIApplication,
|
|
x_for: int = 1,
|
|
x_proto: int = 1,
|
|
x_host: int = 0,
|
|
x_port: int = 0,
|
|
x_prefix: int = 0,
|
|
) -> None:
|
|
self.app = app
|
|
self.x_for = x_for
|
|
self.x_proto = x_proto
|
|
self.x_host = x_host
|
|
self.x_port = x_port
|
|
self.x_prefix = x_prefix
|
|
|
|
def _get_real_value(self, trusted: int, value: str | None) -> str | None:
|
|
"""Get the real value from a list header based on the configured
|
|
number of trusted proxies.
|
|
|
|
:param trusted: Number of values to trust in the header.
|
|
:param value: Comma separated list header value to parse.
|
|
:return: The real value, or ``None`` if there are fewer values
|
|
than the number of trusted proxies.
|
|
|
|
.. versionchanged:: 1.0
|
|
Renamed from ``_get_trusted_comma``.
|
|
|
|
.. versionadded:: 0.15
|
|
"""
|
|
if not (trusted and value):
|
|
return None
|
|
values = parse_list_header(value)
|
|
if len(values) >= trusted:
|
|
return values[-trusted]
|
|
return None
|
|
|
|
def __call__(
|
|
self, environ: WSGIEnvironment, start_response: StartResponse
|
|
) -> t.Iterable[bytes]:
|
|
"""Modify the WSGI environ based on the various ``Forwarded``
|
|
headers before calling the wrapped application. Store the
|
|
original environ values in ``werkzeug.proxy_fix.orig_{key}``.
|
|
"""
|
|
environ_get = environ.get
|
|
orig_remote_addr = environ_get("REMOTE_ADDR")
|
|
orig_wsgi_url_scheme = environ_get("wsgi.url_scheme")
|
|
orig_http_host = environ_get("HTTP_HOST")
|
|
environ.update(
|
|
{
|
|
"werkzeug.proxy_fix.orig": {
|
|
"REMOTE_ADDR": orig_remote_addr,
|
|
"wsgi.url_scheme": orig_wsgi_url_scheme,
|
|
"HTTP_HOST": orig_http_host,
|
|
"SERVER_NAME": environ_get("SERVER_NAME"),
|
|
"SERVER_PORT": environ_get("SERVER_PORT"),
|
|
"SCRIPT_NAME": environ_get("SCRIPT_NAME"),
|
|
}
|
|
}
|
|
)
|
|
|
|
x_for = self._get_real_value(self.x_for, environ_get("HTTP_X_FORWARDED_FOR"))
|
|
if x_for:
|
|
environ["REMOTE_ADDR"] = x_for
|
|
|
|
x_proto = self._get_real_value(
|
|
self.x_proto, environ_get("HTTP_X_FORWARDED_PROTO")
|
|
)
|
|
if x_proto:
|
|
environ["wsgi.url_scheme"] = x_proto
|
|
|
|
x_host = self._get_real_value(self.x_host, environ_get("HTTP_X_FORWARDED_HOST"))
|
|
if x_host:
|
|
environ["HTTP_HOST"] = environ["SERVER_NAME"] = x_host
|
|
# "]" to check for IPv6 address without port
|
|
if ":" in x_host and not x_host.endswith("]"):
|
|
environ["SERVER_NAME"], environ["SERVER_PORT"] = x_host.rsplit(":", 1)
|
|
|
|
x_port = self._get_real_value(self.x_port, environ_get("HTTP_X_FORWARDED_PORT"))
|
|
if x_port:
|
|
host = environ.get("HTTP_HOST")
|
|
if host:
|
|
# "]" to check for IPv6 address without port
|
|
if ":" in host and not host.endswith("]"):
|
|
host = host.rsplit(":", 1)[0]
|
|
environ["HTTP_HOST"] = f"{host}:{x_port}"
|
|
environ["SERVER_PORT"] = x_port
|
|
|
|
x_prefix = self._get_real_value(
|
|
self.x_prefix, environ_get("HTTP_X_FORWARDED_PREFIX")
|
|
)
|
|
if x_prefix:
|
|
environ["SCRIPT_NAME"] = x_prefix
|
|
|
|
return self.app(environ, start_response)
|