[fix] correct determination of the IP for the request

For correct determination of the IP to the request the function botdetection.get_real_ip() is implemented. This fonction is used in the ip_limit and link_token method of the botdetection and it is used in the self_info plugin. A documentation about the X-Forwarded-For header has been added. [1] https://github.com/searxng/searxng/pull/2357#issuecomment-1566211059 Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
2025-07-13 00:09:18 +02:00 · 2023-05-29 19:46:37 +02:00 · 2023-05-29 19:46:37 +02:00 · 38431d2e14
commit 38431d2e14
parent b8c7c2c9aa
6 changed files with 42 additions and 41 deletions
--- a/searx/botdetection/link_token.py
+++ b/searx/botdetection/link_token.py
@ -43,6 +43,7 @@ import flask
 from searx import logger
 from searx import redisdb
 from searx.redislib import secret_hash
+from ._helpers import get_real_ip

 TOKEN_LIVE_TIME = 600
 """Livetime (sec) of limiter's CSS token."""
@ -73,7 +74,7 @@ def is_suspicious(request: flask.Request, renew: bool = False):
    if not redis_client.get(ping_key):
        logger.warning(
            "missing ping (IP: %s) / request: %s",
-            request.headers.get('X-Forwarded-For', ''),
+            get_real_ip(request),
            ping_key,
        )
        return True
@ -111,9 +112,7 @@ def get_ping_key(request: flask.Request):
        PING_KEY
        + "["
        + secret_hash(
-            request.headers.get('X-Forwarded-For', '')
-            + request.headers.get('Accept-Language', '')
-            + request.headers.get('User-Agent', '')
+            get_real_ip(request) + request.headers.get('Accept-Language', '') + request.headers.get('User-Agent', '')
        )
        + "]"
    )