From 1838416633e2f028f9961cf55e7a599b20bf736c Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Sun, 6 Jun 2021 17:22:57 +0200
Subject: [PATCH] Fix spoofable X-Forwarded-For header for some proxied
 services

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>,
<proxy2>, and it was set to $proxy_add_x_forwarded_for which is
basically $http_x_forwarded_for,$remote_addr and headers from the client
can't be trusted!

Fix #292
---
 roles/grafana/templates/nginx.d.conf.j2  | 2 +-
 roles/hedgedoc/templates/nginx.d.conf.j2 | 2 +-
 roles/keycloak/templates/nginx.d.conf.j2 | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/grafana/templates/nginx.d.conf.j2 b/roles/grafana/templates/nginx.d.conf.j2
index afc6e7685..20ee1c031 100644
--- a/roles/grafana/templates/nginx.d.conf.j2
+++ b/roles/grafana/templates/nginx.d.conf.j2
@@ -41,7 +41,7 @@ server {
 
 {% set proxy -%}
         proxy_pass http://grafana;
-        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For      $remote_addr;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 {%- endset %}
diff --git a/roles/hedgedoc/templates/nginx.d.conf.j2 b/roles/hedgedoc/templates/nginx.d.conf.j2
index b9edcfd66..7680bdaca 100644
--- a/roles/hedgedoc/templates/nginx.d.conf.j2
+++ b/roles/hedgedoc/templates/nginx.d.conf.j2
@@ -40,7 +40,7 @@ server {
         proxy_pass http://hedgedoc;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
 {%- endset %}
 
diff --git a/roles/keycloak/templates/nginx.d.conf.j2 b/roles/keycloak/templates/nginx.d.conf.j2
index f39f06ac8..083a947df 100644
--- a/roles/keycloak/templates/nginx.d.conf.j2
+++ b/roles/keycloak/templates/nginx.d.conf.j2
@@ -43,7 +43,7 @@ server {
         access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
         proxy_set_header    Host               $host;
         proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
         proxy_set_header    X-Forwarded-Proto  $scheme;
         proxy_ssl_verify    off;
         proxy_pass https://localhost:{{ keycloak_port }};
@@ -54,7 +54,7 @@ server {
         access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
         proxy_set_header    Host               $host;
         proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
         proxy_set_header    X-Forwarded-Proto  $scheme;
         proxy_ssl_verify    off;
         proxy_pass https://localhost:{{ keycloak_port }};
-- 
GitLab