From 0c0d9e39f4603345a341d5a2af18fa4a12eeb73b Mon Sep 17 00:00:00 2001 From: Firelight Flagboy Date: Tue, 8 Oct 2024 16:12:29 +0200 Subject: [PATCH] Add option to enable proxy header Add a new option that configure the list of trusted address to parse the proxy headers from. The parsing is handled by `uvicorn` which currently only support `x-forwarded-{for,proto}` headers. Closes #8626, closes #8427 Co-authored-by: Marcos Medrano <786907+mmmarcos@users.noreply.github.com> --- docs/HOSTING.md | 46 ++++++++----------- docs/hosting/deployment/parsec.env | 3 -- newsfragments/8626.feature.rst | 1 + .../packaging/server/template-prod.env.list | 2 - server/parsec/asgi/__init__.py | 24 ++++------ server/parsec/cli/run.py | 39 +++++----------- server/parsec/cli/testbed.py | 6 ++- server/parsec/config.py | 2 +- server/tests/common/backend.py | 9 +++- 9 files changed, 51 insertions(+), 81 deletions(-) create mode 100644 newsfragments/8626.feature.rst diff --git a/docs/HOSTING.md b/docs/HOSTING.md index f67614d01b5..86f4cf2ffea 100644 --- a/docs/HOSTING.md +++ b/docs/HOSTING.md @@ -2,25 +2,24 @@ # Hosting Server -- [Hosting Server](#hosting-server) - - [Requirements](#requirements) - - [Hosting](#hosting) - - [Installation](#installation) - - [Run](#run) - - [Settings](#settings) - - [Host](#host) - - [Port](#port) - - [Database URL](#database-url) - - [Database connections](#database-connections) - - [Blockstore URL](#blockstore-url) - - [Administration token](#administration-token) - - [SSL](#ssl) - - [Logs](#logs) - - [Email](#email) - - [Webhooks](#webhooks) - - [SSE Keepalive](#sse-keepalive) - - [Sentry](#sentry) - - [Debug](#debug) +- [Requirements](#requirements) +- [Hosting](#hosting) +- [Installation](#installation) +- [Run](#run) +- [Settings](#settings) + - [Host](#host) + - [Port](#port) + - [Database URL](#database-url) + - [Database connections](#database-connections) + - [Blockstore URL](#blockstore-url) + - [Administration token](#administration-token) + - [SSL](#ssl) + - [Logs](#logs) + - [Email](#email) + - [Webhooks](#webhooks) + - [SSE Keepalive](#sse-keepalive) + - [Sentry](#sentry) + - [Debug](#debug) ## Requirements @@ -168,15 +167,6 @@ SSL key file. This setting enables serving Parsec over SSL. SSL certificate file. This setting enables serving Parsec over SSL. -- ``--forward-proto-enforce-https`` -- Environ: ``PARSEC_FORWARD_PROTO_ENFORCE_HTTPS`` - -Enforce HTTPS by redirecting incoming request that do not comply with the provided header. -This is useful when running Parsec behind a forward proxy handing the SSL layer. -You should *only* use this setting if you control your proxy or have some other -guarantee that it sets/strips this header appropriately. -Typical value for this setting should be `X-Forwarded-Proto:https`. - ### Logs - ``--log-level , -l `` diff --git a/docs/hosting/deployment/parsec.env b/docs/hosting/deployment/parsec.env index 3a45065a5d0..72e3841a186 100644 --- a/docs/hosting/deployment/parsec.env +++ b/docs/hosting/deployment/parsec.env @@ -7,9 +7,6 @@ PARSEC_SSL_KEYFILE=/run/secrets/parsec-pem-key # The SSL certificate file. PARSEC_SSL_CERTFILE=/run/secrets/parsec-pem-crt -# Enforce HTTPS by redirecting HTTP request. -PARSEC_FORWARD_PROTO_ENFORCE_HTTPS=X-Forwarded-Proto:https - # The granularity of Error log outputs. PARSEC_LOG_LEVEL=WARNING diff --git a/newsfragments/8626.feature.rst b/newsfragments/8626.feature.rst new file mode 100644 index 00000000000..bb9d9663c5d --- /dev/null +++ b/newsfragments/8626.feature.rst @@ -0,0 +1 @@ +Add server option ``--proxy-trusted-addresses`` to enable parsing of proxy headers from trusted addresses. By default, the server will trust the proxy headers from localhost. diff --git a/server/packaging/server/template-prod.env.list b/server/packaging/server/template-prod.env.list index 38d80ac7ab7..7e013eb1deb 100644 --- a/server/packaging/server/template-prod.env.list +++ b/server/packaging/server/template-prod.env.list @@ -23,8 +23,6 @@ PARSEC_DB_MAX_CONNECTIONS=7 # PARSEC_SSL_KEYFILE # The SSL certificate file. # PARSEC_SSL_CERTFILE -# Enforce HTTPS by redirecting HTTP request. -PARSEC_FORWARD_PROTO_ENFORCE_HTTPS=true # The granularity of Error log outputs. PARSEC_LOG_LEVEL=WARNING diff --git a/server/parsec/asgi/__init__.py b/server/parsec/asgi/__init__.py index 68ba698d3dc..a8b474df1d4 100644 --- a/server/parsec/asgi/__init__.py +++ b/server/parsec/asgi/__init__.py @@ -60,25 +60,11 @@ async def page_not_found(scope: Scope, receive: Receive, send: Send) -> None: app: AsgiApp = app_factory() -# TODO: implement forward_proto_enforce_https -# # Do https redirection if incoming request doesn't follow forward proto rules -# if backend.config.forward_proto_enforce_https: -# header_key, header_expected_value = backend.config.forward_proto_enforce_https - -# @app.before_request -# def redirect_unsecure() -> ResponseReturnValue | None: -# header_value = request.headers.get(header_key) -# # If redirection header match and protocol match, then no need for a redirection. -# if header_value is not None and header_value != header_expected_value: -# if request.url.startswith("http://"): -# return quart_redirect(request.url.replace("http://", "https://", 1), code=301) -# return None - - async def serve_parsec_asgi_app( app: AsgiApp, host: str, port: int, + proxy_trusted_addresses: list[str], ssl_certfile: Path | None = None, ssl_keyfile: Path | None = None, workers: int | None = None, @@ -93,6 +79,7 @@ async def serve_parsec_asgi_app( v_major, _ = parsec_version.split(".", 1) # ex: parsec/3 server_header = f"parsec/{v_major}" + # Note: Uvicorn comes with default values for incoming data size to # avoid DoS abuse, so just trust them on that ;-) config = uvicorn.Config( @@ -106,6 +93,13 @@ async def serve_parsec_asgi_app( ssl_keyfile=ssl_keyfile, # type: ignore ssl_certfile=ssl_certfile, workers=workers, + # Enable/Disable X-Forwarded-Proto, X-Forwarded-For to populate remote address info. + # When enabled, is restricted to only trusting connecting IPs in forwarded-allow-ips. + # See: https://www.uvicorn.org/settings/#http + # Currently uvicorn only supports X-Forwarded-* headers (https://github.com/encode/uvicorn/issues/2237) + proxy_headers=(proxy_trusted_addresses != []), + # Comma separated list of IP Addresses, IP Networks, or literals (e.g. UNIX Socket path) to trust with proxy headers + forwarded_allow_ips=proxy_trusted_addresses, # TODO: configure access log format: # Timestamp is added by the log processor configured in `parsec.logging`, # here we configure peer address + req line + rep status + rep body size + time diff --git a/server/parsec/cli/run.py b/server/parsec/cli/run.py index 9d7f6e47486..258a2c03635 100644 --- a/server/parsec/cli/run.py +++ b/server/parsec/cli/run.py @@ -43,19 +43,6 @@ DEFAULT_EMAIL_SENDER = "no-reply@parsec.com" -def _parse_forward_proto_enforce_https_check_param( - raw_param: str | None, -) -> tuple[str, str] | None: - if raw_param is None: - return None - try: - key, value = raw_param.split(":") - except ValueError: - raise click.BadParameter("Invalid format, should be `:`") - # HTTP header key is case-insensitive unlike the header value - return (key.lower(), value) - - def _parse_organization_initial_tos_url(raw_param: str | None) -> dict[TosLocale, TosUrl] | None: if raw_param is None: return None @@ -292,20 +279,15 @@ def handle_parse_result( help="Sender address used in sent emails", ) @click.option( - "--forward-proto-enforce-https", - type=str, - show_default=True, - default=None, - callback=lambda ctx, param, value: _parse_forward_proto_enforce_https_check_param(value), - envvar="PARSEC_FORWARD_PROTO_ENFORCE_HTTPS", + "--proxy-trusted-addresses", + default=["localhost", "127.0.0.1", "::1"], + envvar="PARSEC_PROXY_TRUSTED_ADDRESSES", + callback=lambda ctx, param, value: [item.strip() for item in str(value).split(",")], show_envvar=True, - help=( - "Enforce HTTPS by redirecting incoming request that do not comply with the provided header." - " This is useful when running Parsec behind a forward proxy handing the SSL layer." - " You should *only* use this setting if you control your proxy or have some other" - " guarantee that it sets/strips this header appropriately." - " Typical value for this setting should be `X-Forwarded-Proto:https`." - ), + help="""\b + Comma-separated list of IP Addresses, IP Networks or literals to trust with proxy headers. + Set this value to allow the server to use the forwarded headers from those clients. + """, ) @click.option( "--ssl-keyfile", @@ -373,7 +355,7 @@ def run_cmd( email_use_ssl: bool, email_use_tls: bool, email_sender: str | None, - forward_proto_enforce_https: tuple[str, str] | None, + proxy_trusted_addresses: list[str], ssl_keyfile: Path | None, ssl_certfile: Path | None, log_level: LogLevel, @@ -418,7 +400,7 @@ def run_cmd( sse_keepalive=sse_keepalive, blockstore_config=blockstore, email_config=email_config, - forward_proto_enforce_https=forward_proto_enforce_https, + proxy_trusted_addresses=proxy_trusted_addresses, server_addr=server_addr, debug=debug, organization_bootstrap_webhook_url=organization_bootstrap_webhook, @@ -505,6 +487,7 @@ async def _run_backend( port=port, ssl_certfile=ssl_certfile, ssl_keyfile=ssl_keyfile, + proxy_trusted_addresses=app_config.proxy_trusted_addresses, ) return diff --git a/server/parsec/cli/testbed.py b/server/parsec/cli/testbed.py index 484f146f6b3..21505b79201 100644 --- a/server/parsec/cli/testbed.py +++ b/server/parsec/cli/testbed.py @@ -240,7 +240,7 @@ async def testbed_backend_factory( debug=True, db_config=db_config, sse_keepalive=30, - forward_proto_enforce_https=None, + proxy_trusted_addresses=[], server_addr=server_addr, email_config=MockedEmailConfig("no-reply@parsec.com", tmpdir), blockstore_config=blockstore_config, @@ -343,7 +343,9 @@ async def _watch_and_stop_after_process(pid: int, cancel_scope: anyio.CancelScop app.state.testbed = testbed app.state.backend = testbed.backend - await serve_parsec_asgi_app(host=host, port=port, app=app) + await serve_parsec_asgi_app( + host=host, port=port, app=app, proxy_trusted_addresses=[] + ) click.echo("bye ;-)") diff --git a/server/parsec/config.py b/server/parsec/config.py index 6e04979281d..569985a2605 100644 --- a/server/parsec/config.py +++ b/server/parsec/config.py @@ -177,7 +177,7 @@ class BackendConfig: blockstore_config: BaseBlockStoreConfig email_config: SmtpEmailConfig | MockedEmailConfig - forward_proto_enforce_https: tuple[str, str] | None + proxy_trusted_addresses: list[str] server_addr: ParsecAddr | None debug: bool diff --git a/server/tests/common/backend.py b/server/tests/common/backend.py index 4828e086a06..a715ffad7ee 100644 --- a/server/tests/common/backend.py +++ b/server/tests/common/backend.py @@ -11,7 +11,12 @@ from parsec.backend import Backend, backend_factory from parsec.cli.testbed import TestbedBackend, TestbedTemplate from parsec.components.memory.organization import MemoryOrganization, OrganizationID -from parsec.config import BackendConfig, BaseBlockStoreConfig, BaseDatabaseConfig, MockedEmailConfig +from parsec.config import ( + BackendConfig, + BaseBlockStoreConfig, + BaseDatabaseConfig, + MockedEmailConfig, +) from tests.common.postgresql import reset_postgresql_testbed SERVER_DOMAIN = "parsec.invalid" @@ -33,7 +38,7 @@ def backend_config( debug=True, db_config=db_config, sse_keepalive=30, - forward_proto_enforce_https=None, + proxy_trusted_addresses=[], server_addr=ParsecAddr(hostname=SERVER_DOMAIN, port=None, use_ssl=True), email_config=MockedEmailConfig("no-reply@parsec.com", tmpdir), blockstore_config=blockstore_config,