From 25b9db4b0020a6792986c85aa188050ae45ef11f Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Sat, 18 Mar 2023 08:14:46 +0000 Subject: [PATCH] Proxy endpoint was checking real client ip instead of proxy ip for validating PROXY_AUTH_WHITELIST --- core/admin/mailu/sso/views/base.py | 5 +++-- core/nginx/conf/nginx.conf | 1 + core/nginx/conf/proxy.conf | 1 + towncrier/newsfragments/2708.bugfix | 3 +++ 4 files changed, 8 insertions(+), 2 deletions(-) create mode 100644 towncrier/newsfragments/2708.bugfix diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index 6535a98c..bdc31889 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -92,9 +92,10 @@ def _has_usable_redirect(): https://mailu.io/master/configuration.html#header-authentication-using-an-external-proxy """ def _proxy(): - ip = ipaddress.ip_address(flask.request.remote_addr) + proxy_ip = flask.request.headers.get('X-Forwarded-By') + ip = ipaddress.ip_address(proxy_ip) if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']): - return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % flask.request.remote_addr) + return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % proxy_ip) email = flask.request.headers.get(app.config['PROXY_AUTH_HEADER']) if not email: diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 85f22e45..91eb26e7 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -231,6 +231,7 @@ http { auth_request /internal/auth/admin; proxy_set_header X-Real-IP ""; proxy_set_header X-Forwarded-For ""; + proxe_set_header X-Forwarded-By: ""; proxy_pass http://$antispam; error_page 403 @sso_login; } diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf index caad476b..32fc5ccf 100644 --- a/core/nginx/conf/proxy.conf +++ b/core/nginx/conf/proxy.conf @@ -7,6 +7,7 @@ proxy_hide_header CF-Connecting-IP; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; {% if REAL_IP_HEADER and REAL_IP_FROM %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +proxy_set_header X-Forwarded-By $realip_remote_addr; {% else %} proxy_set_header X-Forwarded-For $remote_addr; {% endif %} diff --git a/towncrier/newsfragments/2708.bugfix b/towncrier/newsfragments/2708.bugfix new file mode 100644 index 00000000..8b25338d --- /dev/null +++ b/towncrier/newsfragments/2708.bugfix @@ -0,0 +1,3 @@ +Proxy authentication was using the real client ip instead of the proxy +IP for checking the PROXY_AUTH_WHITELIST. +