mirror of
https://github.com/searxng/searxng.git
synced 2025-08-03 02:22:22 +02:00
eb9f20a823
Replaces `x_for` functionality with `trusted_proxies`. This allows defining which IP / ranges to trust extracting the client IP address from X-Forwarded-For and X-Real-IP headers. We don't know if the proxy chain will give us the proper client address, so we rely on reading the headers of the proxy before SearXNG (if there is one, in that case it must be added to trusted_proxies) hoping it has done the proper checks. In case a proxy in the chain does not check the client address correctly, integrity is compromised and this should be fixed by whoever manages the proxy, not us. I had to move the get_cnf func to another file (config.py) to prevent cyclic imports since we need to read the list inside _helpers.py Closes https://github.com/searxng/searxng/issues/4907 Closes https://github.com/searxng/searxng/issues/3632 Closes https://github.com/searxng/searxng/issues/3191 Closes https://github.com/searxng/searxng/issues/1237 Related https://github.com/searxng/searxng-docker/issues/386 Related https://github.com/inetol-infrastructure/searxng-container/issues/81
49 lines
1.4 KiB
TOML
49 lines
1.4 KiB
TOML
[real_ip]
|
|
|
|
# The prefix defines the number of leading bits in an address that are compared
|
|
# to determine whether or not an address is part of a (client) network.
|
|
|
|
ipv4_prefix = 32
|
|
ipv6_prefix = 48
|
|
|
|
[botdetection.ip_limit]
|
|
|
|
# To get unlimited access in a local network, by default link-local addresses
|
|
# (networks) are not monitored by the ip_limit
|
|
filter_link_local = false
|
|
|
|
# activate link_token method in the ip_limit method
|
|
link_token = false
|
|
|
|
[botdetection.ip_lists]
|
|
|
|
# If the request IP is in trusted_proxies list, the client IP address is
|
|
# extracted from the X-Forwarded-For and X-Real-IP headers. This should be
|
|
# used if SearXNG is behind a reverse proxy or load balancer.
|
|
|
|
trusted_proxies = [
|
|
'127.0.0.1/32',
|
|
'::1',
|
|
# '192.168.0.0/16',
|
|
# '172.16.0.0/12',
|
|
# '10.0.0.0/8',
|
|
# 'fd00::/8',
|
|
]
|
|
|
|
# In the limiter, the ip_lists method has priority over all other methods -> if
|
|
# an IP is in the pass_ip list, it has unrestricted access and it is also not
|
|
# checked if e.g. the "user agent" suggests a bot (e.g. curl).
|
|
|
|
block_ip = [
|
|
# '93.184.216.34', # IPv4 of example.org
|
|
# '257.1.1.1', # invalid IP --> will be ignored, logged in ERROR class
|
|
]
|
|
|
|
pass_ip = [
|
|
# '192.168.0.0/16', # IPv4 private network
|
|
# 'fe80::/10' # IPv6 linklocal / wins over botdetection.ip_limit.filter_link_local
|
|
]
|
|
|
|
# Activate passlist of (hardcoded) IPs from the SearXNG organization,
|
|
# e.g. `check.searx.space`.
|
|
pass_searxng_org = true
|