Is Zope4/5 be able to manage x-forwarded-proto header?

albertduran · December 23, 2022, 8:56am

I tried to configure plone.recipe.zope2instance for waitress with options described here:

but I can't achieve that trusted-proxy works in buildout (I tried this solution). I think that for this reason the request doesn't execute parse_proxy_headers function in:

github.com

Pylons/waitress/blob/main/src/waitress/proxy_headers.py

from collections import namedtuple

from .utilities import BadRequest, logger, undquote

PROXY_HEADERS = frozenset(
    {
        "X_FORWARDED_FOR",
        "X_FORWARDED_HOST",
        "X_FORWARDED_PROTO",
        "X_FORWARDED_PORT",
        "X_FORWARDED_BY",
        "FORWARDED",
    }
)

Forwarded = namedtuple("Forwarded", ["by", "for_", "host", "proto"])


class MalformedProxyHeader(Exception):
    def __init__(self, header, reason, value):

This file has been truncated. show original

So, I'm doing something wrong? There is some point that I didn't take into account?

Thank you,

dieter · December 23, 2022, 10:29am

Alberto Duran via Plone Community wrote at 2022-12-23 09:06 +0000:

I tried to configure plone.recipe.zope2instance for waitress with options described here:
GitHub - plone/plone.recipe.zope2instance: zc.buildout recipe to setup and configure a Zope 2 instance.

but I can't achieve that trusted-proxy works in buildout (I tried this solution). I think that for this reason the request doesn't execute parse_proxy_headers function in:

waitress/src/waitress/proxy_headers.py at main · Pylons/waitress · GitHub

trusted-proxy works with zc.buildout.
You put it into the zope-conf-additional definition.

Note that trusted-proxy is a ZPublisher and not a waitress option.
It lets ZPublisher honor the X_FORWARDED_FOR option for
trusted proxies (when it determines a request's
effective IP address). It has no effect on waitress.

fredvd · December 23, 2022, 11:08am

According to

https://docs.pylonsproject.org/projects/waitress/en/stable/reverse-proxy.html

Waitress should support the X-Forwarded-For headers, which is the default wsgi runner for the Plone backend since Plone 5.2

fredvd · December 23, 2022, 11:16am

Please also consider the role of buildout here: it is not buildout that does or does not support trusted-proxy.

A buildout recipe generates the configurations for Zope/Waitress in somepath / zope.conf and wsgi.ini. It’s waitress that needs to peel off the request headers set by trusted proxies (there can be multiple) and set the correct client ip.

There are also generic wsgi middlewares that can do this, maybe useful for other wsgi servers thar don’t support this.

Also check that your nginx/Apache config correctly forwards/leaves the x-forwarded-for headers intact.

A nice debugging trick to see all incoming headers is to create a small Python script in the ZMI in the root of your site that echo’s all headers.

albertduran · December 23, 2022, 1:18pm

Hi Fred, thanks for the info.

I understand what you say but the situation is the following:
Our customer uses AWS and alb balancer and doesn't want to use nginx. He adds some headers:
"X_FORWARDED_FOR": ip,
"X_FORWARDED_PROTO":"https"

and wants that Zope/Plone answers using https. As you said before, Plone backend uses Waitress as the default wsgi since Plone 5.2. However, I don't know how configurate Waitress to work with Plone and understand these headers.

Any information will helps me.

Thanks a lot for your time.

dieter · December 23, 2022, 3:11pm

Alberto Duran via Plone Community wrote at 2022-12-23 13:28 +0000:

I understand what you say but the situation is the following:
Our customer uses AWS and alb balancer and doesn't want to use nginx. He adds some headers:
"X_FORWARDED_FOR": ip,
"X_FORWARDED_PROTO":"https"

and wants that Zope/Plone answers using https. As you said before, Plone backend uses Waitress as the default wsgi since Plone 5.2. However, I don't know how configurate Waitress to work with Plone and understand these headers.

Any information will helps me.

ZPublisher understands the trusted-proxy configuration option
(code in ZPublisher.HTTPRequest.HTTPRequest.__init__)
and uses it to determine the effective client IP address.
This is a ZPubliser (not waitress) option and must be put into zope.conf
(not zope.ini).

Why should Plone answer differently then it has been requested,
e.g. why should it answer with https for a http request?

Zope uses virtual host support to control the protocol
reference in the URLs it generates.
You find documentation via <URL to your Zope>/virtual_hosting/manage_main.

seanupton · December 27, 2022, 10:01pm

I am under the impression that this is not how the headers should be spelled here: the all-uppercase-underscore-separated syntax appears to be internal to how Waitress handles environment variables based on headers, and is not the name of the headers, which should be X-Forwarded-For (with hyphens, not underscores), and X-Forwarded-Proto.

I would highly recommend that you consider printing, logging, or actively debugging actual headers coming from any requests from reverse proxies you intend to configure behind, to verify that the headers you are expecting are the ones set.

albertduran · December 28, 2022, 10:02am

Thanks a lot Dieter. I've been seen Zope/src/ZPublisher/HTTPRequest.py at master · zopefoundation/Zope · GitHub, and in that point is when the application decides to use one protocol or another. If I have an external rewriter, I'll add some headers such as 'HTTPS', 'SERVER_PORT_SECURE' or 'REQUEST_SCHEME' to specify 'https' but in this case I can't do it. There is another option 'wsgi.url_scheme', but I don't know how to set it up. Is it also needed a Web Server?

Zope uses virtual host support to control the protocol
reference in the URLs it generates.
You find documentation via <URL to your Zope>/virtual_hosting/manage_main .

It helps me to understand how it works. But it doesn't work for me because I don't have a Web Server.

albertduran · December 28, 2022, 10:13am

Thanks Sean. I've extracted this headers at some point of code during last week when I was debugging. I don't remember if it is from the environ variable in ZPublisher or from waitress egg.
I'll revise it again but I think that this headers are correct.

dieter · December 28, 2022, 11:16am

Alberto Duran via Plone Community wrote at 2022-12-28 10:12 +0000:

...
If I have an external rewriter, I'll add some headers such as 'HTTPS', 'SERVER_PORT_SECURE' or 'REQUEST_SCHEME' to specify 'https' but in this case I can't do it. There is another option 'wsgi.url_scheme', but I don't know how to set it up. Is it also needed a Web Server?

Zope is not a full blown WSGI application.
For legacy reasons, Zope still partially uses its own options.
This is the case for trusted-proxy and virtual hosting.
Therefore, it will not help when you set wsgi.url_scheme.

Zope uses virtual host support to control the protocol
reference in the URLs it generates.
You find documentation via <URL to your Zope>/virtual_hosting/manage_main .

It helps me to understand how it works. But it doesn't work for me because I don't have a Web Server.

You have at least 2 web servers:

the one which adds the X-Forwarded-For header
waitress.

Typically, the first web server would be configured to rewrite
the incoming URL to include the virtual hosting parts.

Zope's virtual hosting supports in addition a static
mapping. I have never used it (because the type of web server
I use has not problems with the URL rewriting). Therefore,
you must look around yourself to find out how it works.