Fix spoofable X-Forwarded-For header for some proxied services

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>, <proxy2>, and it was set to $proxy_add_x_forwarded_for which is basically $http_x_forwarded_for,$remote_addr and headers from the client can't be trusted! Fix #292

Fix spoofable X-Forwarded-For header for some proxied services
18384166 · Kristian Klausen · Jelle van der Waa · 813bc239 · 18384166 · 18384166
Commit 18384166 authored 3 years ago by Kristian Klausen Committed by Jelle van der Waa 3 years ago
--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -41,7 +41,7 @@ server {

 {% set proxy -%}
        proxy_pass http://grafana;
-        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For      $remote_addr;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
 {%- endset %}

--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -40,7 +40,7 @@ server {
        proxy_pass http://hedgedoc;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
 {%- endset %}


--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -43,7 +43,7 @@ server {
        access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_ssl_verify    off;
        proxy_pass https://localhost:{{ keycloak_port }};
@@ -54,7 +54,7 @@ server {
        access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
        proxy_set_header    Host               $host;
        proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
        proxy_set_header    X-Forwarded-Proto  $scheme;
        proxy_ssl_verify    off;
        proxy_pass https://localhost:{{ keycloak_port }};