So what's up with these uwsgi_params:
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi.sock;
uwsgi_param Host $host;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
}It looks like they're trying to prevent spoofing some headers that are normally handled by the server. But
- All client headers have
HTTP_ prefixed to them. So it's impossible to spoof e.g. REMOTE_ADDR since it would turn into HTTP_REMOTE_ADDR.
- Conversely, the UWSGI params aren't even overriding the right HTTP headers. If the client sets
X-Real-IP, it will turn into the HTTP_X_REAL_IP uwsgi_param, not X-Real-IP.
These all seem useless, and b773081 doesn't give any justification.
So what's up with these
uwsgi_params:It looks like they're trying to prevent spoofing some headers that are normally handled by the server. But
HTTP_prefixed to them. So it's impossible to spoof e.g.REMOTE_ADDRsince it would turn intoHTTP_REMOTE_ADDR.X-Real-IP, it will turn into theHTTP_X_REAL_IPuwsgi_param, notX-Real-IP.These all seem useless, and b773081 doesn't give any justification.