[mod] limiter: trusted proxies (#4911)

Replaces `x_for` functionality with `trusted_proxies`. This allows defining which IP / ranges to trust extracting the client IP address from X-Forwarded-For and X-Real-IP headers. We don't know if the proxy chain will give us the proper client address (REMOTE_ADDR in the WSGI environment), so we rely on reading the headers of the proxy before SearXNG (if there is one, in that case it must be added to trusted_proxies) hoping it has done the proper checks. In case a proxy in the chain does not check the client address correctly, integrity is compromised and this should be fixed by whoever manages the proxy, not us. Closes: - https://github.com/searxng/searxng/issues/4940 - https://github.com/searxng/searxng/issues/4939 - https://github.com/searxng/searxng/issues/4907 - https://github.com/searxng/searxng/issues/3632 - https://github.com/searxng/searxng/issues/3191 - https://github.com/searxng/searxng/issues/1237 Related: - https://github.com/searxng/searxng-docker/issues/386 - https://github.com/inetol-infrastructure/searxng-container/issues/81
2026-05-07 18:03:51 +02:00 · 2025-08-09 23:03:30 +02:00
parent 341d718c7f
commit ce8929cabe
24 changed files with 453 additions and 184 deletions
@@ -4,9 +4,10 @@ from __future__ import annotations
 import typing

 import re
+from ipaddress import ip_address
+
 from flask_babel import gettext

-from searx.botdetection._helpers import get_real_ip
 from searx.result_types import EngineResults

 from . import Plugin, PluginInfo
@@ -48,8 +49,10 @@ class SXNGPlugin(Plugin):
        if search.search_query.pageno > 1:
            return results

-        if self.ip_regex.search(search.search_query.query):
-            results.add(results.types.Answer(answer=gettext("Your IP is: ") + get_real_ip(request)))
+        if self.ip_regex.search(search.search_query.query) and request.remote_addr:
+            results.add(
+                results.types.Answer(answer=gettext("Your IP is: ") + ip_address(request.remote_addr).compressed)
+            )

        if self.ua_regex.match(search.search_query.query):
            results.add(results.types.Answer(answer=gettext("Your user-agent is: ") + str(request.user_agent)))
@@ -5,6 +5,7 @@ user searches for ``tor-check``.  It fetches the tor exit node list from
 user's IP address is in it.
 """
 from __future__ import annotations
+from ipaddress import ip_address
 import typing

 import re
@@ -14,7 +15,6 @@ from httpx import HTTPError
 from searx.network import get
 from searx.plugins import Plugin, PluginInfo
 from searx.result_types import EngineResults
-from searx.botdetection import get_real_ip

 if typing.TYPE_CHECKING:
    from searx.search import SearchWithPlugins
@@ -66,7 +66,7 @@ class SXNGPlugin(Plugin):
                results.add(results.types.Answer(answer=f"{msg} {url_exit_list}"))
                return results

-            real_ip = get_real_ip(request)
+            real_ip = ip_address(address=str(request.remote_addr)).compressed

            if real_ip in node_list:
                msg = gettext("You are using Tor and it looks like you have the external IP address")