Some nginx configs is vulnerable to X-Forwarded-For spoofing

We use proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; in the hedgedoc, grafana and keycloak role.

X-Forwarded-For is defined as X-Forwarded-For: <client>, <proxy1>, <proxy2> and $proxy_add_x_forwarded_for works like $http_x_forwarded_for,$remote_addr.

So a user can basically set X-Forwarded-For: 1.2.3.4 and now the IP is spoofed (at least the IP seen by the proxied service).

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

Some nginx configs is vulnerable to X-Forwarded-For spoofing