Document REAL_IP_HEADER and REAL_IP_FROM

Fix a security vulnerability whereby we were not clearing other headers

core/nginx/conf/proxy.conf

@@ -1,7 +1,12 @@
 # Default proxy setup
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header True-Client-IP $remote_addr;
 proxy_set_header Forwarded "";
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+{% if REAL_IP_HEADER and REAL_IP_FROM %}
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+{% else %}
+proxy_set_header X-Forwarded-For $remote_addr;
+{% endif %}
 proxy_http_version 1.1;

docs/configuration.rst

@@ -169,6 +169,7 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
 
+The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
 
 Antivirus settings
 ------------------