Remove proxy protocol, chdir, preload from plain server

Author: davegaeddert

plain/plain/server/app.py

@@ -77,15 +77,6 @@ class Application(BaseApplication):
     # 'init' and 'load' methods are implemented by WSGIApplication.
     # pylint: disable=abstract-method
 
-    def chdir(self):
-        # chdir to the configured path before loading,
-        # default is the current dir
-        os.chdir(self.cfg.chdir)
-
-        # add the path to sys.path
-        if self.cfg.chdir not in sys.path:
-            sys.path.insert(0, self.cfg.chdir)
-
     def run(self):
         if self.cfg.print_config:
             print(self.cfg)

plain/plain/server/arbiter.py

@@ -121,9 +121,6 @@ def setup(self, app):
             for k, v in self.cfg.env.items():
                 os.environ[k] = v
 
-        if self.cfg.preload_app:
-            self.app.wsgi()
-
     def start(self):
         """\
         Initialize the arbiter. Start listening and set pidfile if needed.

plain/plain/server/config.py

@@ -855,23 +855,6 @@ class PrintConfig(Setting):
         """
 
 
-class PreloadApp(Setting):
-    name = "preload_app"
-    section = "Server Mechanics"
-    cli = ["--preload"]
-    validator = validate_bool
-    action = "store_true"
-    default = False
-    desc = """\
-        Load application code before the worker processes are forked.
-
-        By preloading an application you can save some RAM resources as well as
-        speed up server boot times. Although, if you defer application loading
-        to each worker process, you can reload your application code easily by
-        restarting workers.
-        """
-
-
 class Sendfile(Setting):
     name = "sendfile"
     section = "Server Mechanics"
@@ -910,18 +893,6 @@ class ReusePort(Setting):
         """
 
 
-class Chdir(Setting):
-    name = "chdir"
-    section = "Server Mechanics"
-    cli = ["--chdir"]
-    validator = validate_chdir
-    default = util.getcwd()
-    default_doc = "``'.'``"
-    desc = """\
-        Change directory to specified directory before loading apps.
-        """
-
-
 class Env(Setting):
     name = "raw_env"
     action = "append"
@@ -1762,53 +1733,6 @@ def ssl_context(conf, default_ssl_context_factory):
         """
 
 
-class ProxyProtocol(Setting):
-    name = "proxy_protocol"
-    section = "Server Mechanics"
-    cli = ["--proxy-protocol"]
-    validator = validate_bool
-    default = False
-    action = "store_true"
-    desc = """\
-        Enable detect PROXY protocol (PROXY mode).
-
-        Allow using HTTP and Proxy together. It may be useful for work with
-        stunnel as HTTPS frontend and Gunicorn as HTTP server.
-
-        PROXY protocol: http://haproxy.1wt.eu/download/1.5/doc/proxy-protocol.txt
-
-        Example for stunnel config::
-
-            [https]
-            protocol = proxy
-            accept  = 443
-            connect = 80
-            cert = /etc/ssl/certs/stunnel.pem
-            key = /etc/ssl/certs/stunnel.key
-        """
-
-
-class ProxyAllowFrom(Setting):
-    name = "proxy_allow_ips"
-    section = "Server Mechanics"
-    cli = ["--proxy-allow-from"]
-    validator = validate_string_to_addr_list
-    default = "127.0.0.1,::1"
-    desc = """\
-        Front-end's IPs from which allowed accept proxy requests (comma separated).
-
-        Set to ``*`` to disable checking of front-end IPs. This is useful for setups
-        where you don't know in advance the IP address of front-end, but
-        instead have ensured via other means that only your
-        authorized front-ends can access Gunicorn.
-
-        .. note::
-
-            This option does not affect UNIX socket connections. Connections not associated with
-            an IP address are treated as allowed, unconditionally.
-        """
-
-
 class KeyFile(Setting):
     name = "keyfile"
     section = "SSL"

plain/plain/server/http/message.py

@@ -7,16 +7,13 @@
 
 import io
 import re
-import socket
 
 from ..util import bytes_to_str, split_request_uri
 from .body import Body, ChunkedReader, EOFReader, LengthReader
 from .errors import (
-    ForbiddenProxyRequest,
     InvalidHeader,
     InvalidHeaderName,
     InvalidHTTPVersion,
-    InvalidProxyLine,
     InvalidRequestLine,
     InvalidRequestMethod,
     InvalidSchemeHeaders,
@@ -259,7 +256,6 @@ def __init__(self, cfg, unreader, peer_addr, req_number=1):
             self.limit_request_line = MAX_REQUEST_LINE
 
         self.req_number = req_number
-        self.proxy_protocol_info = None
         super().__init__(cfg, unreader, peer_addr)
 
     def get_data(self, unreader, buf, stop=False):
@@ -277,13 +273,6 @@ def parse(self, unreader):
         # get request line
         line, rbuf = self.read_line(unreader, buf, self.limit_request_line)
 
-        # proxy protocol
-        if self.proxy_protocol(bytes_to_str(line)):
-            # get next request line
-            buf = io.BytesIO()
-            buf.write(rbuf)
-            line, rbuf = self.read_line(unreader, buf, self.limit_request_line)
-
         self.parse_request_line(line)
         buf = io.BytesIO()
         buf.write(rbuf)
@@ -335,81 +324,6 @@ def read_line(self, unreader, buf, limit=0):
             data[idx + 2 :],
         )  # residue in the buffer, skip \r\n
 
-    def proxy_protocol(self, line):
-        """\
-        Detect, check and parse proxy protocol.
-
-        :raises: ForbiddenProxyRequest, InvalidProxyLine.
-        :return: True for proxy protocol line else False
-        """
-        if not self.cfg.proxy_protocol:
-            return False
-
-        if self.req_number != 1:
-            return False
-
-        if not line.startswith("PROXY"):
-            return False
-
-        self.proxy_protocol_access_check()
-        self.parse_proxy_protocol(line)
-
-        return True
-
-    def proxy_protocol_access_check(self):
-        # check in allow list
-        if (
-            "*" not in self.cfg.proxy_allow_ips
-            and isinstance(self.peer_addr, tuple)
-            and self.peer_addr[0] not in self.cfg.proxy_allow_ips
-        ):
-            raise ForbiddenProxyRequest(self.peer_addr[0])
-
-    def parse_proxy_protocol(self, line):
-        bits = line.split(" ")
-
-        if len(bits) != 6:
-            raise InvalidProxyLine(line)
-
-        # Extract data
-        proto = bits[1]
-        s_addr = bits[2]
-        d_addr = bits[3]
-
-        # Validation
-        if proto not in ["TCP4", "TCP6"]:
-            raise InvalidProxyLine(f"protocol '{proto}' not supported")
-        if proto == "TCP4":
-            try:
-                socket.inet_pton(socket.AF_INET, s_addr)
-                socket.inet_pton(socket.AF_INET, d_addr)
-            except OSError:
-                raise InvalidProxyLine(line)
-        elif proto == "TCP6":
-            try:
-                socket.inet_pton(socket.AF_INET6, s_addr)
-                socket.inet_pton(socket.AF_INET6, d_addr)
-            except OSError:
-                raise InvalidProxyLine(line)
-
-        try:
-            s_port = int(bits[4])
-            d_port = int(bits[5])
-        except ValueError:
-            raise InvalidProxyLine(f"invalid port {line}")
-
-        if not ((0 <= s_port <= 65535) and (0 <= d_port <= 65535)):
-            raise InvalidProxyLine(f"invalid port {line}")
-
-        # Set data
-        self.proxy_protocol_info = {
-            "proxy_protocol": proto,
-            "client_addr": s_addr,
-            "client_port": s_port,
-            "proxy_addr": d_addr,
-            "proxy_port": d_port,
-        }
-
     def parse_request_line(self, line_bytes):
         bits = [bytes_to_str(bit) for bit in line_bytes.split(b" ", 2)]
         if len(bits) != 3:

plain/plain/server/http/wsgi.py

@@ -96,21 +96,6 @@ def default_environ(req, sock, cfg):
     return env
 
 
-def proxy_environ(req):
-    info = req.proxy_protocol_info
-
-    if not info:
-        return {}
-
-    return {
-        "PROXY_PROTOCOL": info["proxy_protocol"],
-        "REMOTE_ADDR": info["client_addr"],
-        "REMOTE_PORT": str(info["client_port"]),
-        "PROXY_ADDR": info["proxy_addr"],
-        "PROXY_PORT": str(info["proxy_port"]),
-    }
-
-
 def create(req, sock, client, server, cfg):
     resp = Response(req, sock, cfg)
 
@@ -195,9 +180,6 @@ def create(req, sock, client, server, cfg):
     environ["PATH_INFO"] = util.unquote_to_wsgi_str(path_info)
     environ["SCRIPT_NAME"] = script_name
 
-    # override the environ with the correct remote and server address if
-    # we are behind a proxy using the proxy protocol.
-    environ.update(proxy_environ(req))
     return resp, environ
 
 

plain/plain/server/workers/base.py

@@ -18,11 +18,9 @@
 from .. import util
 from ..http.errors import (
     ConfigurationProblem,
-    ForbiddenProxyRequest,
     InvalidHeader,
     InvalidHeaderName,
     InvalidHTTPVersion,
-    InvalidProxyLine,
     InvalidRequestLine,
     InvalidRequestMethod,
     InvalidSchemeHeaders,
@@ -223,8 +221,6 @@ def handle_error(self, req, client, addr, exc):
             | InvalidHeaderName
             | LimitRequestLine
             | LimitRequestHeaders
-            | InvalidProxyLine
-            | ForbiddenProxyRequest
             | InvalidSchemeHeaders
             | UnsupportedTransferCoding
             | ConfigurationProblem
@@ -258,12 +254,6 @@ def handle_error(self, req, client, addr, exc):
                 reason = "Request Header Fields Too Large"
                 mesg = f"Error parsing headers: '{str(exc)}'"
                 status_int = 431
-            elif isinstance(exc, InvalidProxyLine):
-                mesg = f"'{str(exc)}'"
-            elif isinstance(exc, ForbiddenProxyRequest):
-                reason = "Forbidden"
-                mesg = "Request forbidden"
-                status_int = 403
             elif isinstance(exc, InvalidSchemeHeaders):
                 mesg = f"{str(exc)}"
             elif isinstance(exc, SSLError):