Skip to main content

Flask behind a reverse proxy: actual client IPs

Hi! At work I'm involved with a REST API based on Flask. For SSL, we decided to use nginx as a reverse proxy. As a result, client IPs are all reported to be

 * Running on - - [15/Feb/2015 17:43:48] "GET / HTTP/1.1" 200 - - - [15/Feb/2015 17:43:48] "GET /favicon.ico HTTP/1.1" 404 -

Flask is based on Werkzeug. Werkzeug comes with a helper called ProxyFix to address this problem.

from flask import Flask
from werkzeug.contrib.fixers import ProxyFix

app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app)

To make nginx feed the headers needed by ProxyFix, these lines help:

proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Now one thing remains to fix: The debugging log on stderr still reports To get the IP from header X-Forwarded-For in there, I made this patching function replacing method WSGIRequestHandler.address_string:

def fix_werkzeug_logging():
    from werkzeug.serving import WSGIRequestHandler

    def address_string(self):
        forwarded_for = self.headers.get(
            'X-Forwarded-For', '').split(',')

        if forwarded_for and forwarded_for[0]:
            return forwarded_for[0]
            return self.client_address[0]

    WSGIRequestHandler.address_string = address_string

With that applied, I get actual client IPs. Tested with python-flask 0.8-1 and python-werkzeug 0.8.3+dfsg-1 of Debian wheezy. All source code in this post is licensed under CC0.

Back on-line, finally

The core web services of mine are finally back on-line:

My apologies that it took so long! I took the occasion of the migration to redirect all traffic on (blog|www) to SSL so that people downloading some of my past Windows binaries (like Winamp plug-in installers) are no longer vulnerable to games like BDFproxy man-in-the-middle. If you run into anything (still) broken or off-line, please drop me a mail.

Best, Sebastian

Fwd: Why I stopped watching porn | Ran Gavrieli | TEDxJaffa

I watched this TEDx talk quite a while ago, already. I ran into it again today in my bookmarks: I actually wanted to share it the first time around but also wanted time to make up my mind whether or not to share it on my blog, and made a todo-like bookmark. So here it is. I would like to quote Ran Gavrieli on something that applies to a lot more than this very topic:

We should be very careful with... not only what we put into our body in terms of fruit and nutrition... with what is the nutrition of our minds. Everything we watch invades us.

Why I stopped watching porn | Ran Gavrieli | TEDxJaffa

Switching to Grub2 on Gentoo

Hi! There seem to be quite a number of people being "afraid" of Grub2, because of the "no single file" approach. From more people, I hear about sticking to Grub legacy or moving to syslinux, rather than upgrading to Grub2. I used to be one of those not too long ago: I've been sticking to Grub legacy for quite a while, mainly because I never felt like breaking a booting system at that very moment. I have finally upgraded my Gentoo dev machine to Grub2 now and I'm rather happy with the results:

  • No manual editing of Grug2 config files for kernel upgrades any more
  • The Grub2 rescue shell, if I should break things
  • Fancy theming if I feel like that next week
  • I am off more or less unmaintained software

My steps to upgrade were:

  1. Install sys-boot/grub:2.
  2. Inspect the output of "sudo grub2-mkconfig" (which goes to stdout) to get a feeling for it.
  3. Tune /etc/default/grub a bit:

# This is genkernel
GRUB_CMDLINE_LINUX="dolvm dokeymap keymap=de
    real_root=/dev/gentoo/root noslowusb"

# A bit retro, works with and without external display


NOTE: I broke the GRUB_CMDLINE_LINUX line for readability, only.

  1. Insert a "shutdown" menu entry at /etc/grub.d/40_custom:
exec tail -n +3 $0
# This file provides an easy way to add custom menu
# entries.  Simply type the menu entries you want to
# add after this comment.  Be careful not to change
# the 'exec tail' line above.

menuentry "Shutdown" {
  1. Run "sudo grub2-mkconfig -o /boot/grub/grub.cfg"
  2. Run "sudo grub2-install /dev/disk/by-id/ata-HITACHI_000000000000000_00000000000000000000"

Using /dev/disk/ greatly reduces the risk of installing to the wrong disk. Check "find /dev/disk | xargs ls -ld".

  1. Reboot


For kernel updates, my new process is

emerge -auv sys-kernel/vanilla-sources

pushd /usr/src
cp linux-3.18.3/.config linux-3.18.4/

# yes, sys-kernel/vanilla-sources[symlink] would do that for me
rm linux
ln -s linux-3.18.4 linux

pushd linux
yes '' | make oldconfig

make -j4 && make modules_install install \
        && emerge tp_smapi \
        && genkernel initramfs \
        && grub2-mkconfig -o /boot/grub/grub.cfg


Best, Sebastian

(German) Mieterunfreundlich: Ablesedienst Ista Deutschland GmbH

Einmal im Jahr liest jemand Zählerstände für Warmwasser, Kaltwasser und Fernwärme ab. In meine Haus macht das die ista Deutschland GmbH. Per Anschlag an der Haustür und Einwurf im Briefkasten wird ein erster, fester Termin angekündigt. Auf der Ankündigung heißt es, dass es zu Kosten auf meiner Seite kommen kann, wenn ich auch den zweiten Termin nicht wahrnehmen kann. Ich rufe also bei der Ista an mit dem Ziel, sicherzustellen, dass wenigstens der zweite Termin in meinen Kalender passt. Das Ablesen und die Termine mache ein Dienstleister vor Ort, da könne mann nichts machen, auch Kontakt herstellen nicht. Ich bin am Tage des zweiten Ablesetermins vor Ort, stelle beim Verlassen dann fest, dass niemand kam, weil auf dem Anschlag steht, dass der Termin abgesagt ist. Ohne Begründung, von einem weiteren Termin keine Rede. Ich schreibe der Ista eine Mail zu diesem Thema, inkludiere auch meine Zählerstände, bitte um Bestätigung, dass sie erhalten und verarbeitet worden sind. Eine automatische Empfangsbestätigung geht ein. Die nächstens sieben Tage lang höre ich nichts.Ich antworte auf die Empfangsbestätigung, bitte um Antwort. Nach weiteren zwei Tagen ohne Reaktion rufe ich an. Da müsse ich mich an den Vermieter wenden. Warum mir nicht geantwortet werde? Da hätte sie keine Einsicht. Ganz toller Verein.

Tool to preview Grub2 themes easily (using KVM)

The short version: To preview a Grub2 theme live does not have to be hard.

Hi! When I first wrote about a (potentially to lengthy) way to make a Grub2 theming playground in 2012, I was hoping that people would start throwing Gentoo Grub2 themes around so that it would become harder picking one rather than finding one. As you know, that didn't happen. Therefore, I am taken a few more steps now:

So this post is about that new tool: grub2-theme-preview. Basically, it does the steps I blogged about in 2012, automated:

  • Creates a sparse disk as a regular file
  • Adds a partition to it and formats using ext2
  • Installs Grub2, copies a theme of your choice and a config file to make it work
  • Starts KVM

That way, a theme creator can concentrate on the actual work on the theme. To give an example, to preview theme "Archxion" off GitHub as of today you could run:

git clone
git clone
cd grub2-theme-preview
./grub2-theme-preview ../Grub2-themes/Archxion/

Once grub2-theme-preview has distutils/setuputils packaging and a Gentoo ebuild, that gets a bite easier, still. The current usage is:

# ./grub2-theme-preview --help
usage: grub2-theme-preview [-h] [--image] [--grub-cfg PATH] [--version] PATH

positional arguments:
  PATH             Path of theme directory (or image file) to preview

optional arguments:
  -h, --help       show this help message and exit
  --image          Preview a background image rather than a whole theme
  --grub-cfg PATH  Path grub.cfg file to apply
  --version        show program's version number and exit

Before using the tool, be warned that:

  • it is alpha/beta software that
  • needs root permissions in some part (calling sudo).
  • So I don't take any warranty for anything right now!

Here is what to expect from running

# ./grub2-theme-preview /usr/share/grub/themes/gutsblack-archlinux/

assuming you have grub2-themes/gutsblack-archlinux off the grub2-themes overlay installed with this grub.cfg file:

Another example using the --image switch for background-image-only themes, using a 640x480 rendering of vector remake of gentoo-cow:

The latter is a good candidate for that Grub2 version of media-gfx/grub- splashes I mentioned earlier. I'm looking forward to your patches and pull requests!

New Gentoo overlay: grub2-themes

Hi! I've been looking around for Grub2 themes a bit and started a dedicated overlay to not litter the main repository. The overlay

Any Gentoo developer on GitHub probably has received a

[GitHub] Subscribed to gentoo/grub2-themes-overlay notifications

mail already. I did put it into Gentoo project account rather than my personal account because I do not want this to be a solo project: you are welcome to extend and improve. That includes pull requests from users. The licensing situation (in the overlay, as well as with Grub2 themes in general) is not optimal. Right now, more or less all of the themes have all-rights-reserved for a license, since logos of various Linux distributions are included. So even if the theme itself is licensed under GPL v2 or later, the whole thing including icons is not. I am considering to add a use flag icons to control cutting the icons away. That way, people with ACCEPT_LICENSE="-* @FREE" could still use at least some of these themes. By the way, I welcome help identifying the licenses of each of the original distribution logos, if that sounds like an interesting challenge to you. More to come on Grub2 themes. Stay tuned.