search

jdabtieu / CTFOJ

Lightweight CTF judge platform for capture-the-flag (CTF) clubs
GNU Affero General Public License v3.0
10 stars 5 forks source link

[BUG] Remote address not logged properly when running Pythonanywhere #173

Closed jdabtieu closed 1 year ago

jdabtieu commented 2 years ago

Describe the bug

Because of their load balancer, request.remote_addr returns the address of the load balancer

Same happens for Nginx forwarding traffic to Docker

It should return the address of the remote user, but instead, they use request.headers['X-Real-IP'] instead.

Possible Solution

Add a check for Pythonanywhere, and overwrite request.remote_addr with the real IP Overwrite request.remote_addr with request.headers['X-Real-IP'] if the app is run under a proxy

works on PythonAnywhere and for Nginx, if it's set (vulnerability if nginx is misconfigured, perhaps we should add something in the docs/settings about this)

slightlyskepticalpotat commented 1 year ago

Note that the PYTHONANYWHERE_SITE envvar is only set on PythonAnywhere.

jdabtieu commented 1 year ago

I think honestly the way to deal with this is to create a middleware to rewrite request.remote_addr to request.header["X-Real-IP"] if the user sets some boolean in the settings