allows people to set the X-Forwarded-For header key and disable it by

setting an empty string. close #268 . Thanks for the feedback!
2026-01-14 11:09:11 +08:00 · 2011-10-05 08:07:30 +02:00 · 2011-10-05 08:07:30 +02:00 · f7b14431b9
commit f7b14431b9
parent 99d85e9cce
2 changed files with 13 additions and 2 deletions
--- a/gunicorn/config.py
+++ b/gunicorn/config.py
@ -582,6 +582,16 @@ class SecureSchemeHeader(Setting):
        It is important that your front-end proxy configuration ensures that
        the headers defined here can not be passed directly from the client.
        """
+class XForwardedFor(Setting):
+    name = "x_forwarded_for_header"
+    section = "Server Mechanics"
+    meta = "STRING"
+    validator = validate_string
+    default = 'X-FORWARDED-FOR'
+    desc = """\
+        Set the X-Forwarded-For header that identify the originating IP
+        address of the client connection to gunicorn via a proxy.
+        """

 class AccessLog(Setting):
    name = "accesslog"
--- a/gunicorn/http/wsgi.py
+++ b/gunicorn/http/wsgi.py
@ -68,14 +68,15 @@ def create(req, sock, client, server, cfg):
    url_scheme = "http"
    script_name = os.environ.get("SCRIPT_NAME", "")

-    secure_headers = getattr(cfg, "secure_scheme_headers")
+    secure_headers = cfg.secure_scheme_headers
+    x_forwarded_for_header = cfg.x_forwarded_for_header

    for hdr_name, hdr_value in req.headers:
        if hdr_name == "EXPECT":
            # handle expect
            if hdr_value.lower() == "100-continue":
                sock.send("HTTP/1.1 100 Continue\r\n\r\n")
-        elif hdr_name == "X-FORWARDED-FOR":
+        elif hdr_name == x_forwarded_for_header:
            forward = hdr_value
        elif (hdr_name.upper() in secure_headers and
              hdr_value == secure_headers[hdr_name.upper()]):