Document REAL_IP_HEADER and REAL_IP_FROM

Fix a security vulnerability whereby we were not clearing other headers
master
Florent Daigniere 3 years ago
parent 6bba0cecfc
commit 394c2fe22c

@ -1,7 +1,12 @@
# Default proxy setup # Default proxy setup
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header True-Client-IP $remote_addr;
proxy_set_header Forwarded ""; proxy_set_header Forwarded "";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
{% if REAL_IP_HEADER and REAL_IP_FROM %}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
{% else %}
proxy_set_header X-Forwarded-For $remote_addr;
{% endif %}
proxy_http_version 1.1; proxy_http_version 1.1;

@ -169,6 +169,7 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
.. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739 .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
Antivirus settings Antivirus settings
------------------ ------------------

Loading…
Cancel
Save