我有一个较旧的龙卷风服务器,它处理香草WebSocket连接。我代理这些连接,通过Nginx,从wss://info.mydomain.com到wss://mydomain.com:8080,以绕过客户代理,阻止非标准端口。
最近升级到龙卷风4.0后,所有连接都会被拒绝,并返回403。是什么导致了这个问题,我该如何解决它?
Tornado 4.0在默认情况下引入了同源检查。这将检查浏览器设置的源报头是否与主机报头
相同。代码如下:
def check_origin(self, origin):
"""Override to enable support for allowing alternate origins.
The ``origin`` argument is the value of the ``Origin`` HTTP header,
the url responsible for initiating this request.
.. versionadded:: 4.0
"""
parsed_origin = urlparse(origin)
origin = parsed_origin.netloc
origin = origin.lower()
host = self.request.headers.get("Host")
# Check to see that origin matches host directly, including ports
return origin == host
为了让你的代理websocket连接仍然工作,你需要覆盖WebSocketHandler上的check origin,并将你关心的域列入白名单。就像这样。
import re
from tornado import websocket
class YouConnection(websocket.WebSocketHandler):
def check_origin(self, origin):
return bool(re.match(r'^.*?.mydomain.com', origin))
这将使来自info.mydomain.com的连接像以前一样通过。
我想提出一个替代解决方案,而不是搞乱龙卷风应用程序代码,我通过告诉nginx修复主机头来解决这个问题:
location /ws {
proxy_set_header Host $host;
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}