Workaround security issues in django-axes

Newer versions of Django axes have newly way to get the IP address of a client
using ipware library. This has multiple security issues
https://github.com/jazzband/django-axes/issues/286 . Workaround them by
controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by
limiting the headers that ipware uses.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

data/etc/apache2/sites-available/plinth.conf

@@ -11,4 +11,12 @@
     ## Send the scheme from user's request to enable Plinth to redirect
     ## URLs, set cookies, set absolute URLs (if any) properly.
     RequestHeader    set X-Forwarded-Proto 'https' env=HTTPS
+
+    ## Ignore any X-FORWARDED-FOR headers sent by the client and their
+    ## proxies. Apache will still set this header with the remote
+    ## address of the client. Apache is the first and only trusted entry
+    ## point for FreedomBox. Any code that does not deal with this
+    ## header properly will remain safe. For example:
+    ## https://github.com/jazzband/django-axes/issues/286
+    RequestHeader    unset X-Forwarded-For
 </Location>

plinth/__main__.py

@@ -273,6 +273,7 @@ def configure_django():
         DEBUG=cfg.debug,
         FORCE_SCRIPT_NAME=cfg.server_dir,
         INSTALLED_APPS=applications,
+        IPWARE_META_PRECEDENCE_ORDER=('HTTP_X_FORWARDED_FOR',),
         LOGGING=logging_configuration,
         LOGIN_URL='users:login',
         LOGIN_REDIRECT_URL='index',