From 25b9db4b0020a6792986c85aa188050ae45ef11f Mon Sep 17 00:00:00 2001
From: Dimitri Huisman <diman@huisman.xyz>
Date: Sat, 18 Mar 2023 08:14:46 +0000
Subject: [PATCH] Proxy endpoint was checking real client ip instead of proxy
 ip for validating PROXY_AUTH_WHITELIST

---
 core/admin/mailu/sso/views/base.py  | 5 +++--
 core/nginx/conf/nginx.conf          | 1 +
 core/nginx/conf/proxy.conf          | 1 +
 towncrier/newsfragments/2708.bugfix | 3 +++
 4 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 towncrier/newsfragments/2708.bugfix

diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py
index 6535a98c..bdc31889 100644
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@@ -92,9 +92,10 @@ def _has_usable_redirect():
 https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy
 """
 def _proxy():
-    ip = ipaddress.ip_address(flask.request.remote_addr)
+    proxy_ip = flask.request.headers.get('X-Forwarded-By')
+    ip = ipaddress.ip_address(proxy_ip)
     if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']):
-        return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % flask.request.remote_addr)
+        return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % proxy_ip)
 
     email = flask.request.headers.get(app.config['PROXY_AUTH_HEADER'])
     if not email:
diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf
index 85f22e45..91eb26e7 100644
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@@ -231,6 +231,7 @@ http {
         auth_request /internal/auth/admin;
         proxy_set_header X-Real-IP "";
         proxy_set_header X-Forwarded-For "";
+        proxe_set_header X-Forwarded-By: "";
         proxy_pass http://$antispam;
         error_page 403 @sso_login;
       }
diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index caad476b..32fc5ccf 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -7,6 +7,7 @@ proxy_hide_header CF-Connecting-IP;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 {% if REAL_IP_HEADER and REAL_IP_FROM %}
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-By $realip_remote_addr;
 {% else %}
 proxy_set_header X-Forwarded-For $remote_addr;
 {% endif %}
diff --git a/towncrier/newsfragments/2708.bugfix b/towncrier/newsfragments/2708.bugfix
new file mode 100644
index 00000000..8b25338d
--- /dev/null
+++ b/towncrier/newsfragments/2708.bugfix
@@ -0,0 +1,3 @@
+Proxy authentication was using the real client ip instead of the proxy
+IP for checking the PROXY_AUTH_WHITELIST.
+