Mercurial > kallithea
view init.d/supervisord.conf @ 8886:3d7ba590f6f5
auth: only use X- headers instead of REMOTE_ADDR if explicitly told so in remote_addr_header
Before, X-Forwarded-For (and others) headers would *always* be trusted blindly,
also in setups without a proxy server. It would thus in some cases be
possible for users to fake their IP, and thus potentially be possible to bypass
IP restrictions configured in Kallithea.
Fixed by making it configurable which WSGI environment variable to use for the
remote address. Users can configure remote_addr_header to for example
HTTP_X_FORWARDED_FOR instead of using the default REMOTE_ADDR.
This change is a bit similar to what is going on in the https_fixup middleware,
but is doing a bit more of what for example is happening in similar code in
werkzeug/middleware/proxy_fix.py .
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Sun, 09 May 2021 22:34:02 +0200 |
parents | 2c3d30095d5e |
children |
line wrap: on
line source
; Kallithea Supervisord ; ########################## ; for help see http://supervisord.org/configuration.html ; ########################## [inet_http_server] ; inet (TCP) server disabled by default port=127.0.0.1:9001 ; (ip_address:port specifier, *:port for all iface) ;username=user ; (default is no username (open server)) ;password=123 ; (default is no password (open server)) [supervisord] logfile=/%(here)s/supervisord_kallithea.log ; (main log file;default $CWD/supervisord.log) logfile_maxbytes=50MB ; (max main logfile bytes b4 rotation;default 50MB) logfile_backups=10 ; (num of main logfile rotation backups;default 10) loglevel=info ; (log level;default info; others: debug,warn,trace) pidfile=/%(here)s/supervisord_kallithea.pid ; (supervisord pidfile;default supervisord.pid) nodaemon=true ; (start in foreground if true;default false) minfds=1024 ; (min. avail startup file descriptors;default 1024) minprocs=200 ; (min. avail process descriptors;default 200) umask=022 ; (process file creation umask;default 022) user=username ; (default is current user, required if root) ;identifier=supervisor ; (supervisord identifier, default is 'supervisor') ;directory=/tmp ; (default is not to cd during start) ;nocleanup=true ; (don't clean up tempfiles at start;default false) ;childlogdir=/tmp ; ('AUTO' child log dir, default $TEMP) environment=HOME=/srv/kallithea ; (key value pairs to add to environment) ;strip_ansi=false ; (strip ansi escape codes in logs; def. false) ; the below section must remain in the config file for RPC ; (supervisorctl/web interface) to work, additional interfaces may be ; added by defining them in separate rpcinterface: sections [rpcinterface:supervisor] supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface [supervisorctl] serverurl=http://127.0.0.1:9001 ; use an http:// url to specify an inet socket ;username=user ; should be same as http_username if set ;password=123 ; should be same as http_password if set ;prompt=mysupervisor ; cmd line prompt (default "supervisor") ;history_file=~/.sc_history ; use readline history if available ; restart with supervisorctl restart kallithea:* [program:kallithea] numprocs = 1 numprocs_start = 5000 # possible should match ports directory=/srv/kallithea command = /srv/kallithea/venv/bin/gearbox serve -c my.ini process_name = %(program_name)s_%(process_num)04d redirect_stderr=true stdout_logfile=/%(here)s/kallithea.log