Add proxy fix header handling for X-Forwarded-For etc.

datacube_ows/ogc.py

@@ -18,7 +18,14 @@
                                     lower_get_args, resp_headers)
 from datacube_ows.ows_configuration import get_config
 from datacube_ows.protocol_versions import supported_versions
-from datacube_ows.startup_utils import *  # pylint: disable=wildcard-import,unused-wildcard-import
+from datacube_ows.startup_utils import (initialise_aws_credentials,
+                                        initialise_babel, initialise_debugging,
+                                        initialise_flask,
+                                        initialise_ignorable_warnings,
+                                        initialise_logger,
+                                        initialise_prometheus,
+                                        initialise_sentry, parse_config_file,
+                                        proxy_fix)
 from datacube_ows.wcs1 import WCS_REQUESTS
 from datacube_ows.wms import WMS_REQUESTS
 
@@ -43,6 +50,9 @@
 # (controlled by environment variables)
 metrics = initialise_prometheus(app, _LOG)
 
+# Add middleware to fix proxy headers, controlled by environment variables
+app = proxy_fix(app, _LOG)
+
 # Protocol/Version lookup table
 OWS_SUPPORTED = supported_versions()
 

datacube_ows/startup_utils.py

@@ -209,6 +209,15 @@ def initialise_prometheus(app, log=None):
         return metrics
     return FakeMetrics()
 
+def proxy_fix(app, log=None):
+    # Proxy Fix, to respect X-Forwarded-For headers
+    if os.environ.get("PROXY_FIX", False):
+        from werkzeug.middleware.proxy_fix import ProxyFix
+        app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1, x_port=1)
+        if log is not None:
+            log.info("ProxyFix was enabled")
+    return app
+
 def request_extractor():
     qreq = request.args.get('request')
     return qreq

docs/environment_variables.rst

@@ -99,6 +99,14 @@ prometheus_multiproc_dir:
     The `Prometheus event monitoring system <https://prometheus.io>`_ is activated by
     setting this lower case environment variable.
 
+PROXY_FIX:
+    If ``$PROXY_FIX`` is set to "true", "yes", "on" or "1", the Flask application will trust the
+    X-Forwarded-For and other headers from a proxy server.
+
+    This is useful when running behind a reverse proxy server such as Nginx or CloudFront.
+
+    NEVER use in production without a reverse proxy server.
+
 Dev Tools
 ---------
 

wordlist.txt

@@ -92,6 +92,7 @@ coverages
 cp
 createdb
 credentialling
+christophfriedrich
 crs
 crss
 CRSs
@@ -263,6 +264,7 @@ multiproduct
 mv
 mysecretpassword
 namespace
+NaNs
 natively
 ncols
 ndays