diff --git a/axes/checks.py b/axes/checks.py index 711bcf8..8746ea6 100644 --- a/axes/checks.py +++ b/axes/checks.py @@ -122,6 +122,12 @@ def axes_deprecation_check(app_configs, **kwargs): # pylint: disable=unused-arg deprecated_settings = [ "AXES_DISABLE_SUCCESS_ACCESS_LOG", "AXES_LOGGER", + # AXES_PROXY_ and AXES_META_ parameters were updated to more explicit + # AXES_IPWARE_PROXY_ and AXES_IPWARE_META_ prefixes in version 6.x + "AXES_PROXY_ORDER", + "AXES_PROXY_COUNT", + "AXES_PROXY_TRUSTED_IPS", + "AXES_META_PRECEDENCE_ORDER", ] for deprecated_setting in deprecated_settings: diff --git a/axes/conf.py b/axes/conf.py index eea9b46..9dab628 100644 --- a/axes/conf.py +++ b/axes/conf.py @@ -108,24 +108,6 @@ ), ) -# if your deployment is using reverse proxies, set this value to 'left-most' or 'right-most' per your configuration -settings.AXES_PROXY_ORDER = getattr(settings, "AXES_PROXY_ORDER", "left-most") - -# if your deployment is using reverse proxies, set this value to the number of proxies in front of Django -settings.AXES_PROXY_COUNT = getattr(settings, "AXES_PROXY_COUNT", None) - -# if your deployment is using reverse proxies, set to your trusted proxy IP addresses prefixes if needed -settings.AXES_PROXY_TRUSTED_IPS = getattr(settings, "AXES_PROXY_TRUSTED_IPS", None) - -# set to the names of request.META attributes that should be checked for the IP address of the client -# if your deployment is using reverse proxies, ensure that the header attributes are securely set by the proxy -# ensure that the client can not spoof the headers by setting them and sending them through the proxy -settings.AXES_META_PRECEDENCE_ORDER = getattr( - settings, - "AXES_META_PRECEDENCE_ORDER", - getattr(settings, "IPWARE_META_PRECEDENCE_ORDER", ("REMOTE_ADDR",)), -) - # set CORS allowed origins when calling authentication over ajax settings.AXES_ALLOWED_CORS_ORIGINS = getattr(settings, "AXES_ALLOWED_CORS_ORIGINS", "*") @@ -147,3 +129,44 @@ settings.AXES_RESET_COOL_OFF_ON_FAILURE_DURING_LOCKOUT = getattr( settings, "AXES_RESET_COOL_OFF_ON_FAILURE_DURING_LOCKOUT", True ) + + +### +# django-ipware settings for client IP address calculation and proxy detection +# there are old AXES_PROXY_ and AXES_META_ legacy keys present for backwards compatibility +# see https://github.com/un33k/django-ipware for further details +### + +# if your deployment is using reverse proxies, set this value to 'left-most' or 'right-most' per your configuration +settings.AXES_IPWARE_PROXY_ORDER = getattr( + settings, + "AXES_IPWARE_PROXY_ORDER", + getattr(settings, "AXES_PROXY_ORDER", "left-most"), +) + +# if your deployment is using reverse proxies, set this value to the number of proxies in front of Django +settings.AXES_IPWARE_PROXY_COUNT = getattr( + settings, + "AXES_IPWARE_PROXY_COUNT", + getattr(settings, "AXES_PROXY_COUNT", None), +) + +# if your deployment is using reverse proxies, set to your trusted proxy IP addresses prefixes if needed +settings.AXES_IPWARE_PROXY_TRUSTED_IPS = getattr( + settings, + "AXES_IPWARE_PROXY_TRUSTED_IPS", + getattr(settings, "AXES_PROXY_TRUSTED_IPS", None), +) + +# set to the names of request.META attributes that should be checked for the IP address of the client +# if your deployment is using reverse proxies, ensure that the header attributes are securely set by the proxy +# ensure that the client can not spoof the headers by setting them and sending them through the proxy +settings.AXES_IPWARE_META_PRECEDENCE_ORDER = getattr( + settings, + "AXES_IPWARE_META_PRECEDENCE_ORDER", + getattr( + settings, + "AXES_META_PRECEDENCE_ORDER", + getattr(settings, "IPWARE_META_PRECEDENCE_ORDER", ("REMOTE_ADDR",)), + ), +) diff --git a/axes/helpers.py b/axes/helpers.py index 8c58411..331d1a6 100644 --- a/axes/helpers.py +++ b/axes/helpers.py @@ -192,10 +192,10 @@ def get_client_ip_address( client_ip_address, _ = ipware.ip.get_client_ip( request, - proxy_order=settings.AXES_PROXY_ORDER, - proxy_count=settings.AXES_PROXY_COUNT, - proxy_trusted_ips=settings.AXES_PROXY_TRUSTED_IPS, - request_header_order=settings.AXES_META_PRECEDENCE_ORDER, + proxy_order=settings.AXES_IPWARE_PROXY_ORDER, + proxy_count=settings.AXES_IPWARE_PROXY_COUNT, + proxy_trusted_ips=settings.AXES_IPWARE_PROXY_TRUSTED_IPS, + request_header_order=settings.AXES_IPWARE_META_PRECEDENCE_ORDER, ) return client_ip_address diff --git a/docs/4_configuration.rst b/docs/4_configuration.rst index ead231e..13091a4 100644 --- a/docs/4_configuration.rst +++ b/docs/4_configuration.rst @@ -103,8 +103,8 @@ and uses some conservative configuration parameters by default for security. If you are using reverse proxies, you will need to configure one or more of the following settings to suit your set up to correctly resolve client IP addresses: -* ``AXES_PROXY_COUNT``: The number of reverse proxies in front of Django as an integer. Default: ``None`` -* ``AXES_META_PRECEDENCE_ORDER``: The names of ``request.META`` attributes as a tuple of strings +* ``AXES_IPWARE_PROXY_COUNT``: The number of reverse proxies in front of Django as an integer. Default: ``None`` +* ``AXES_IPWARE_META_PRECEDENCE_ORDER``: The names of ``request.META`` attributes as a tuple of strings to check to get the client IP address. Check the Django documentation for header naming conventions. Default: ``IPWARE_META_PRECEDENCE_ORDER`` setting if set, else ``('REMOTE_ADDR', )`` @@ -114,7 +114,7 @@ following settings to suit your set up to correctly resolve client IP addresses: .. code-block:: python # refer to the Django request and response objects documentation - AXES_META_PRECEDENCE_ORDER = [ + AXES_IPWARE_META_PRECEDENCE_ORDER = [ 'HTTP_X_FORWARDED_FOR', 'REMOTE_ADDR', ]