fix(auth): make ProxyFix trust count configurable to prevent IP spoofing#67
Open
DeryFerd wants to merge 1 commit into
Open
fix(auth): make ProxyFix trust count configurable to prevent IP spoofing#67DeryFerd wants to merge 1 commit into
DeryFerd wants to merge 1 commit into
Conversation
Add PROXY_TRUST_COUNT env var (default: 1) to control how many reverse proxies sit between the client and Evonic. When set to 0, X-Forwarded-For headers are ignored, preventing IP spoofing in direct deployments. Without this, deployments without a reverse proxy allow any client to spoof their IP via X-Forwarded-For, defeating login rate limiting and making security audit logs unreliable. Changes: - config.py: add PROXY_TRUST_COUNT via _get_env_int (0-10, default 1) - app.py: use config.PROXY_TRUST_COUNT instead of hardcoded x_for=1 - unit_tests/test_proxy_trust.py: 7 tests covering config parsing and IP resolution behaviour for trust=0 and trust=1
fahrudina
pushed a commit
to fahrudina/evonic
that referenced
this pull request
Jun 13, 2026
…elease (anvie#67) Replace hardcoded 'git pull origin main' and 'git clone --depth 1' with intelligent tag detection: - Query remote tags via git ls-remote, filter semver tags (vX.Y.Z) - Sort with version sort, pick the latest - Clone with --branch <tag> for fresh installs - Checkout tags/<tag> for existing repo updates - Graceful fallback to main branch if no stable tags found Previously the installer always pulled from main, meaning users got whatever was on HEAD — including potentially broken dev code. Now they get the latest stable release, as identified by version tags.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
app.pyhardcodesProxyFix(x_for=1), which tells Flask to always trust the rightmost entry in theX-Forwarded-Forheader. That works when there is exactly one reverse proxy in front of Evonic (nginx, Caddy, Cloudflare, etc.), which is the common case.But it breaks for direct deployments. If someone exposes Evonic straight to the internet without a reverse proxy, any client can send a fake
X-Forwarded-Forheader and Evonic will trust it. The real client IP becomes whatever the attacker chose. This defeats the login rate limiter inroutes/auth.py(keyed onrequest.remote_addr) and pollutes the security audit logs inbackend/security_audit.pywith wrong IPs.The fix
Adds a
PROXY_TRUST_COUNTenvironment variable so operators can match the trust level to their deployment topology:0for direct deployments with no proxy.X-Forwarded-Foris ignored entirely.1(default) for single proxy setups, same behavior as today.2or higher for multi proxy chains (CDN in front of nginx in front of the app).What changed
config.pydefinesPROXY_TRUST_COUNTwith bounds checking (0 to 10, default 1) via_get_env_int.app.pyreadsconfig.PROXY_TRUST_COUNTinstead of the hardcoded1.unit_tests/test_proxy_trust.pycovers config parsing edge cases (default, zero, two, negative clamped to zero, invalid falls back to default) plus actual IP resolution behavior for trust=0 and trust=1.Testing
All 7 new tests pass. Existing config and health tests still pass.
Backward compatibility
Default stays at 1, so existing deployments behind a proxy don't need to change anything. If you run Evonic directly on the internet, add
PROXY_TRUST_COUNT=0to your.env.