0

I have a REST API flask, configured to listed on http at port 7001

I have also setup an apache as a reverse proxy to supply https

My flask is also using the ProxyFix to be able to correctly detect the incoming IP address in order to use flask.limiter

REST_API = Flask(__name__)
REST_API.wsgi_app = ProxyFix(REST_API.wsgi_app, x_for=1)

I want to reject all requests which are not coming from my reverse proxy, but rather directly to my 7001 port. Without the ProxyFix, I could do this method

@REST_API.before_request
def limit_remote_addr():
    logger.debug(request.remote_addr)
    if request.remote_addr != '127.0.0.1':
        error_msg = get_error(ServerErrors.NO_PROXY)
        abort(403, error_msg)

But now with the ProxyFix, I am always seeing the original IP.

If there a way to detect if the requestor is coming via my reverse proxy in this setup?

Db0
  • 151
  • 2
  • 10
  • 2
    Not a direct answer, but I think the problem is caused by exposing an internal service to the outside world. Make your flask app listen on 127.0.0.1 only (and ::1 for IPv6). Nobody will be able to connect directly from outside. Alternatively block the port 7001 with your firewall. – VPfB Sep 22 '22 at 09:56
  • Ah right, didn't think to bind flask to localhost listen only. I'll try that. – Db0 Sep 22 '22 at 14:18
  • That's a good solution. If you want post it a an answer and I'll select it – Db0 Sep 22 '22 at 22:26
  • I'm glad I could help. However I prefer not to write it as an answer, because I did not answer your question as it is phrased and tagged. It would probably not help other users searching the SO site for a solution for their problem. – VPfB Sep 23 '22 at 05:53

0 Answers0