Benoit Chesneau 112d5353c1 fix: enforce proxy_allow_ips and tighten PROXY parsing in ASGI
Three findings against the ASGI PROXY protocol path:

- High: an untrusted peer could send a PROXY v1/v2 header and have the
  client address surfaced to the app. _setup_callback_parser now passes
  proxy_protocol='off' to the parser when the peer is not in
  proxy_allow_ips. _effective_peername adds a defensive re-check.
- Medium: PROXY v1 TCP4/TCP6 addresses were copied as strings without
  validation. Validate with socket.inet_pton, mirroring the WSGI parser.
- Medium: PROXY v2 quietly mapped non-STREAM (DGRAM) protocols to
  UDP4/UDP6. gunicorn is an HTTP server; reject non-STREAM with
  InvalidProxyHeader, mirroring the WSGI parser.
2026-05-03 22:28:48 +02:00
2026-02-06 08:21:18 +01:00
2026-01-23 01:20:03 +01:00
2026-02-06 08:21:18 +01:00
2026-01-27 09:46:42 +01:00
2026-02-06 08:21:18 +01:00
2026-03-24 23:21:23 +01:00

Gunicorn

Gunicorn is maintained by volunteers. If it powers your production, please consider supporting us:
GitHub Sponsors Revolut

PyPI version Supported Python versions Build Status

Gunicorn 'Green Unicorn' is a Python WSGI HTTP Server for UNIX. It's a pre-fork worker model ported from Ruby's Unicorn project. The Gunicorn server is broadly compatible with various web frameworks, simply implemented, light on server resource usage, and fairly speedy.

New in v25: Per-app worker allocation for dirty arbiters, HTTP/2 support (beta)!

Quick Start

pip install gunicorn
gunicorn myapp:app --workers 4

For ASGI applications (FastAPI, Starlette):

gunicorn myapp:app --worker-class asgi

Features

  • WSGI support for Django, Flask, Pyramid, and any WSGI framework
  • ASGI support for FastAPI, Starlette, Quart
  • HTTP/2 support (beta) with multiplexed streams
  • Dirty Arbiters (beta) for heavy workloads (ML models, long-running tasks)
  • uWSGI binary protocol for nginx integration
  • Multiple worker types: sync, gthread, gevent, eventlet, asgi
  • Graceful worker process management
  • Compatible with Python 3.9+

Documentation

Full documentation at https://gunicorn.org

Community

Support

Powering Python apps since 2010. Support continued development.

Become a Sponsor

Sponsors

Enki Multimedia

License

Gunicorn is released under the MIT License. See the LICENSE file for details.

Description
gunicorn 'Green Unicorn' is a WSGI HTTP Server for UNIX, fast clients and sleepy applications.
Readme MIT 8.2 MiB
Languages
Python 99.9%