Fixing proxy headers#
If you are serving Hypercorn behind a proxy e.g. a load balancer the client-address, scheme, and host-header will match that of the connection between the proxy and Hypercorn rather than the user-agent (client). However, most proxies provide headers with the original user-agent (client) values which can be used to “fix” the headers to these values.
Modern proxies should provide this information via a Forwarded
header from RFC 7239. However, this is
rare in practice with legacy proxies using a combination of
X-Forwarded-For
, X-Forwarded-Proto
and
X-Forwarded-Host
. It is important that you chose the correct mode
(legacy, or modern) based on the proxy you use.
To use the proxy fix middleware behind a single legacy proxy simply wrap your app and serve the wrapped app,
from hypercorn.middleware import ProxyFixMiddleware
fixed_app = ProxyFixMiddleware(app, mode="legacy", trusted_hops=1)
Warning
The mode and number of trusted hops must match your setup or the user-agent (client) may be trusted and hence able to set alternative for, proto, and host values. This can, depending on your usage in the app, lead to security vulnerabilities.