Commit 18384166 authored by Kristian Klausen's avatar Kristian Klausen 🎉 Committed by Jelle van der Waa
Browse files

Fix spoofable X-Forwarded-For header for some proxied services

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>,
<proxy2>, and it was set to $proxy_add_x_forwarded_for which is
basically $http_x_forwarded_for,$remote_addr and headers from the client
can't be trusted!

Fix #292
parent 813bc239
......@@ -41,7 +41,7 @@ server {
{% set proxy -%}
proxy_pass http://grafana;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
{%- endset %}
......
......@@ -40,7 +40,7 @@ server {
proxy_pass http://hedgedoc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
{%- endset %}
......
......@@ -43,7 +43,7 @@ server {
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_pass https://localhost:{{ keycloak_port }};
......@@ -54,7 +54,7 @@ server {
access_log /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off;
proxy_pass https://localhost:{{ keycloak_port }};
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment