No way to specify Unix domain clients as trusted using --forwarded-allow-ips

[bemoody]

When running uvicorn as a Unix-domain server using --uds, I want to report the correct remote address and protocol to the ASGI application.

That means that I want to honor the X-Forwarded-Proto header, and I want to honor the final entry in the X-Forwarded-For header, but I don't want to honor other entries in X-Forwarded-For unless they come from a trusted proxy.

From what I can tell, this is impossible: the only way to tell uvicorn to trust proxy headers from a Unix-domain client is to specify --forwarded-allow-ips *, which means "trust everyone in the world".

(For example, consider the recommended configuration at https://uvicorn.dev/deployment/#running-behind-nginx , which uses proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for. Without --forwarded-allow-ips, this header has no effect. With --forwarded-allow-ips *, any client is allowed to spoof any IP address.)

It would be nice to be able to say something like --forwarded-allow-ips 192.168.123.45,unix:. To make that work, I think the following change would be sufficient:

--- a/uvicorn/middleware/proxy_headers.py
+++ b/uvicorn/middleware/proxy_headers.py
@@ -29,7 +29,7 @@ class ProxyHeadersMiddleware:
             return await self.app(scope, receive, send)
 
         client_addr = scope.get("client")
-        client_host = client_addr[0] if client_addr else None
+        client_host = client_addr[0] if client_addr else "unix:"
 
         if client_host in self.trusted_hosts:
             headers = dict(scope["headers"])

But this could probably be more robust.

I also note that https://uvicorn.dev/deployment/#proxies-and-forwarded-headers says:

Uvicorn can be configured to trust IP Addresses (e.g. 127.0.0.1), IP Networks (e.g. 10.100.0.0/16), or Literals (e.g. /path/to/socket.sock).

I think this comment is misleading; using a server socket path as a "Literal" doesn't work.

[bemoody]

By my reading of the ASGI spec (https://asgi.readthedocs.io/en/latest/specs/www.html#http-connection-scope), the proper way to indicate that a client is connected via Unix socket is to set scope["client"] = None and scope["server"] = (socket_path, None).

So a more robust and spec-compliant way to handle this would be:

• In get_local_addr, if the socket is an AF_UNIX socket, return (socket_path, None).
• In ProxyHeadersMiddleware, if scope["client"] is None and scope["server"] is not None and scope["server"][1] is None, then set client_host = "unix:".

---

Meanwhile, this doesn't work for gunicorn+uvicorn_worker.

AFAICT, when uvicorn_worker is used under gunicorn, this means that gunicorn is reponsible for parsing the --forwarded-allow-ips command-line argument, but uvicorn's ProxyHeadersMiddleware is responsible for interpreting it.

gunicorn --forwarded-allow-ips=192.168.1.1,unix: whines that unix: "does not appear to be an IPv4 or IPv6 address".

gunicorn --forwarded-allow-ips=* works and is broken in the same way that uvicorn --forwarded-allow-ips=* is.

The gunicorn documentation claims that --forwarded-allow-ips "does not affect UNIX socket connections" (https://docs.gunicorn.org/en/stable/settings.html#forwarded-allow-ips). That's only true for gunicorn itself, not for gunicorn+uvicorn_worker. But this seems like reasonable behavior and maybe it would be okay to do this in uvicorn_worker, if not in uvicorn itself?