Original code copyright (C) 2009-2022 Rudolf Cardinal (

This file is part of cardinal_pythonlib.

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Middleware to set SCRIPT_NAME environment variable etc. when behind a reverse proxy.

class cardinal_pythonlib.wsgi.reverse_proxied_mw.ReverseProxiedConfig(trusted_proxy_headers: List[str] = None, http_host: str = None, remote_addr: str = None, script_name: str = None, server_name: str = None, server_port: int = None, url_scheme: str = None, rewrite_path_info: bool = False)[source]

Class to hold information about a reverse proxy configuration.

  • trusted_proxy_headers – list of headers, from ReverseProxiedMiddleware.ALL_CANDIDATES, that the middleware will treat as trusted and obey. All others from this list will be stripped.
  • http_host – Value to write to the HTTP_HOST WSGI variable. If not specified, an appropriate trusted header will be used (if there is one).
  • remote_addr – … similarly for REMOTE_ADDR
  • script_name – … similarly for SCRIPT_NAME
  • server_name – … similarly for SERVER_NAME
  • server_port – … similarly for SERVER_PORT
  • url_scheme – … similarly for URL_SCHEME (e.g. "https")
  • rewrite_path_info

    If True, then if the middleware sets SCRIPT_NAME and PATH_INFO starts with SCRIPT_NAME, the SCRIPT_NAME will be stripped off the front of PATH_INFO.

    This is appropriate for front-end web servers that fail to rewrite the incoming URL properly. (Do not use for Apache with ProxyPass; ProxyPass rewrites the URLs properly for you.)

    … as per e.g.

necessary() → bool[source]

Is any special handling (e.g. the addition of ReverseProxiedMiddleware) necessary for thie config?

class cardinal_pythonlib.wsgi.reverse_proxied_mw.ReverseProxiedMiddleware(app: Callable[[Dict[str, str], Callable[[str, List[Tuple[str, str]], Optional[Tuple[Optional[Type[BaseException]], Optional[BaseException], Optional[traceback]]]], Callable[[str], None]]], Iterable[bytes]], config: cardinal_pythonlib.wsgi.reverse_proxied_mw.ReverseProxiedConfig, debug: bool = False)[source]

WSGI middleware to set the SCRIPT_NAME and PATH_INFO WSGI environment variables (etc.) correctly when behind a reverse proxy.

Note that the WSGI environment variables HTTP_* are clones of HTTP headers; for example, X-Forwarded-For in HTTP becomes HTTP_X_FORWARDED_FOR in WSGI.

See also:

cardinal_pythonlib.wsgi.reverse_proxied_mw.first_from_xff(value: str) → str[source]

Returns the first IP address from an X-Forwarded-For header; see ip_addresses_from_xff().

Parameters:value – the value of an HTTP X-Forwarded-For (or WSGI HTTP_X_FORWARDED_FOR) header
Returns:an IP address as a string, or '' if none is found
cardinal_pythonlib.wsgi.reverse_proxied_mw.ip_addresses_from_xff(value: str) → List[str][source]

Returns a list of IP addresses (as strings), given the value of an HTTP X-Forwarded-For (or WSGI HTTP_X_FORWARDED_FOR) header.

Parameters:value – the value of an HTTP X-Forwarded-For (or WSGI HTTP_X_FORWARDED_FOR) header
Returns:a list of IP address as strings

See: - - # noqa - NOT THIS: