From 8eb1542f64075b0c7e6bc88f8dca6ada3387aa8a Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Thu, 16 Mar 2023 08:07:57 +0100
Subject: [PATCH] Paranoia: drop the headers we don't use

---
 core/nginx/conf/proxy.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index e4ff6c93..d0629b97 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -1,8 +1,9 @@
 # Default proxy setup
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header True-Client-IP $remote_addr;
-proxy_set_header Forwarded "";
+proxy_hide_header True-Client-IP;
+proxy_hide_header CF-Connecting-IP;
+
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 {% if REAL_IP_HEADER and REAL_IP_FROM %}
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -10,3 +11,8 @@ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-For $remote_addr;
 {% endif %}
 proxy_http_version 1.1;
+proxy_hide_header Forwarded;
+proxy_hide_header X-Forwarded-Host;
+proxy_hide_header X-Forwarded-Server;
+proxy_hide_header X-Host;
+proxy_hide_header X-HTTP-Host-Override;