middleware: Allow HTTP from localhost, not through a reverse proxy.

In servers with `application_server.http_only = true` and `loadbalancer.ips` set, the DetectProxyMisconfiguration middleware prevents access over HTTP from IP addresses other than the loadbalancer. However, this misses the case of access from localhost over HTTP, which is safe and expected -- for instance, the `email-mirror-postfix` script used in the email gateway[^1] will post to `http://localhost/` by default in such configurations. With the DetectProxyMisconfiguration installed, this will result in a 403 response. Make an exception for requests from `127.0.0.1` and `::1` from proxy-misconfiguration rejections. [^1]: https://zulip.readthedocs.io/en/latest/production/email-gateway.html
2023-08-17 18:29:24 +00:00 · 2023-08-17 18:29:24 +00:00 · 5368d1bd4c
parent d8c6311e33
commit 5368d1bd4c
1 changed files with 10 additions and 1 deletions
--- a/zerver/middleware.py
+++ b/zerver/middleware.py
@ -636,7 +636,16 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
        # misconfigured, but we cannot distinguish this from a random
        # client which is providing proxy headers to a correctly
        # configured Zulip.
-        if proxy_state_header != "" and not request.is_secure():
+        #
+        # There is a complication to the above logic -- we do expect
+        # that requests not through the proxy may happen from
+        # localhost over HTTP (e.g. the email gateway).  Skip warnings
+        # if the remote IP is localhost.
+        if (
+            proxy_state_header != ""
+            and not request.is_secure()
+            and request.META["REMOTE_ADDR"] not in ("127.0.0.1", "::1")
+        ):
            raise ProxyMisconfigurationError(proxy_state_header)