Spaces:

doasyousay
/

googleapis

Running

Transformer Claude Opus 4.6 (1M context) commited on Apr 6

Commit

94e4a6a

1 Parent(s): 817572f

fix: 过滤泄露客户端真实 IP 的请求头

转发时移除 X-Forwarded-For、X-Real-IP 等头，防止目标服务器看到客户端真实 IP。

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Files changed (1) hide show

app.py CHANGED Viewed

@@ -106,10 +106,16 @@ async def proxy(target_url: str, request: Request, _: None = Depends(verify_auth
         proxy_header = request.headers.get("proxy")
         proxy_url = parse_proxy_header(proxy_header)
-        # 过滤 host 和 proxy 头
         forward_headers = [
             (k, v) for k, v in request.headers.raw
-            if k.lower() not in (b"host", b"proxy")
         ]
         client = httpx.AsyncClient(

         proxy_header = request.headers.get("proxy")
         proxy_url = parse_proxy_header(proxy_header)
+        # 过滤会泄露客户端真实 IP 的头，以及 host 和 proxy 头
+        STRIP_HEADERS = {
+            b"host", b"proxy",
+            b"x-forwarded-for", b"x-forwarded-host", b"x-forwarded-proto",
+            b"x-real-ip", b"forwarded", b"via",
+            b"cf-connecting-ip", b"true-client-ip",
+        }
         forward_headers = [
             (k, v) for k, v in request.headers.raw
+            if k.lower() not in STRIP_HEADERS
         ]
         client = httpx.AsyncClient(