Merge branch 'x-forwarded-for' into 'master'

Fix spoofable X-Forwarded-For header for some proxied services

Closes #292

See merge request !416

roles/grafana/templates/nginx.d.conf.j2

@@ -41,7 +41,7 @@ server {
 
 {% set proxy -%}
         proxy_pass http://grafana;
-        proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For      $remote_addr;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection $connection_upgrade;
 {%- endset %}

roles/hedgedoc/templates/nginx.d.conf.j2

@@ -40,7 +40,7 @@ server {
         proxy_pass http://hedgedoc;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;
 {%- endset %}
 

roles/keycloak/templates/nginx.d.conf.j2

@@ -43,7 +43,7 @@ server {
         access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
         proxy_set_header    Host               $host;
         proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
         proxy_set_header    X-Forwarded-Proto  $scheme;
         proxy_ssl_verify    off;
         proxy_pass https://localhost:{{ keycloak_port }};
@@ -54,7 +54,7 @@ server {
         access_log   /var/log/nginx/{{ keycloak_domain }}/access.log.json json_main;
         proxy_set_header    Host               $host;
         proxy_set_header    X-Real-IP          $remote_addr;
-        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header    X-Forwarded-For    $remote_addr;
         proxy_set_header    X-Forwarded-Proto  $scheme;
         proxy_ssl_verify    off;
         proxy_pass https://localhost:{{ keycloak_port }};