fixup! ERP5Type/patches: use the first entry of HTTP_X_FORWARDED_FOR as the source IP address.

product/ERP5/bin/zopewsgi.py

@@ -138,8 +138,9 @@ def createServer(application, logger, **kw):
     global server
     server = create_server(
         TransLogger(application, logger=logger),
-        trusted_proxy='*',
-        trusted_proxy_headers=('x-forwarded-for',),
+        # We handle X-Forwarded-For by ourselves. See ERP5Type/patches/WSGITask.py.
+        # trusted_proxy='*',
+        # trusted_proxy_headers=('x-forwarded-for',),
         clear_untrusted_proxy_headers=True,
         **kw
     )

product/ERP5Type/ZopePatch.py

@@ -90,6 +90,7 @@ from Products.ERP5Type.patches import ZSQLMethod
 from Products.ERP5Type.patches import MimetypesRegistry
 from Products.ERP5Type.patches import users
 from Products.ERP5Type.patches import Publish
+from Products.ERP5Type.patches import WSGITask
 
 # These symbols are required for backward compatibility
 from Products.ERP5Type.patches.PropertyManager import ERP5PropertyManager

product/ERP5Type/patches/WSGITask.py

+# -*- coding: utf-8 -*-
+
+import ZPublisher.HTTPRequest
+from waitress.task import WSGITask
+
+WSGITask_get_environment = WSGITask.get_environment
+
+def get_environment(self):
+  if ZPublisher.HTTPRequest.trusted_proxies == ('0.0.0.0',): # Magic value to enable this functionality
+    # Frontend-facing proxy is responsible for sanitising
+    # X_FORWARDED_FOR, and only trusted accesses should bypass
+    # that proxy. So trust first entry.
+    forwarded_for = dict(self.request.headers).get('X_FORWARDED_FOR', '').split(',', 1)[0].strip()
+  else:
+    forwarded_for = None
+
+  environ = WSGITask_get_environment(self)
+
+  if forwarded_for:
+    environ['REMOTE_HOST'] = environ['REMOTE_ADDR'] = forwarded_for
+
+  return environ
+
+WSGITask.get_environment = get_environment