From 394c2fe22caee877e995e621888ca53454f2be99 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Sat, 28 Aug 2021 10:03:18 +0200 Subject: [PATCH] Document REAL_IP_HEADER and REAL_IP_FROM Fix a security vulnerability whereby we were not clearing other headers --- core/nginx/conf/proxy.conf | 7 ++++++- docs/configuration.rst | 1 + 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf index 5dcb784a..e4ff6c93 100644 --- a/core/nginx/conf/proxy.conf +++ b/core/nginx/conf/proxy.conf @@ -1,7 +1,12 @@ # Default proxy setup proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; +proxy_set_header True-Client-IP $remote_addr; proxy_set_header Forwarded ""; -proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; +{% if REAL_IP_HEADER and REAL_IP_FROM %} +proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +{% else %} +proxy_set_header X-Forwarded-For $remote_addr; +{% endif %} proxy_http_version 1.1; diff --git a/docs/configuration.rst b/docs/configuration.rst index 27f8db7d..3d536fd4 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -169,6 +169,7 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739 +The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address. Antivirus settings ------------------