This feature needs to be enabled through the `http.use_x_forwarded_for` option,
satisfying security concerns of spoofed remote addresses in untrusted network
environments.
The testsuite was enhanced to explicitly test the functionality of the
header.
Fixes#4265.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
* Change approved_ips from string to cidr validation
Relabel to trusted_networks, better reflecting its expected inputs,
everything that ipaddress.ip_networks recognizes as an ip network
is possible:
- 127.0.0.1 (single ipv4 addresses)
- 192.168.0.0/24 (ipv4 networks)
- ::1 (single ipv6 addresses)
- 2001:DB8::/48 (ipv6 networks)
* Add support for the X-Forwarded-For header
* Use local timezone for log and history dates
* home-assistant-js fix
* Submodule updates not included so travis can build
* Separate Date and DateTime http validators
* Include submodule reference
* Update frontend
* Depreciate ssl2/3
Following the best practices as defind here:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
* Updated comment with better decription
Links to the rational rather than the config generator; explains link.
* add comment mentioning intermediate
When a browser makes a CORS request, it often makes a 'preflight'
options request in order to make sure the resource is valid, and that
it has the right CORS access. This adds a default OPTIONS handler for
all views. If a view needs to customize the OPTIONS handler for some
reason, it's free to, but this way CORS will work.
* Add CORS support to WSGI
* Remove X-HA-Access as a CORS header, because as @JshWright so elegantly put it: "CORS controls access to response headers, not request headers"
This commit adds back the config validation for the http component. It
was removed during the WSGI shuffle. This is just a direct copy of what
@robbiet480 added in ab294d12f7 (with some testing to verify it still
works).
* Fix TLS with eventlet
This fixes a simple error on my part when implementing the WSGI stuff.
eventlet.wrap_ssl() returns a wrapped socket, it does not modify the
object passed to it. We need to grab the returned value and use that.
* Fix style issue
