From 6bba0cecfc650d3471a710a93b5344191e5964ab Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 28 Aug 2021 09:02:52 +0200
Subject: [PATCH 1/3] Strip the Forwarded header since nothing is compatible
 with it yet

---
 core/nginx/conf/proxy.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index 5a182ea8..5dcb784a 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -1,6 +1,7 @@
 # Default proxy setup
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header Forwarded "";
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
 proxy_http_version 1.1;

From 394c2fe22caee877e995e621888ca53454f2be99 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 28 Aug 2021 10:03:18 +0200
Subject: [PATCH 2/3] Document REAL_IP_HEADER and REAL_IP_FROM

Fix a security vulnerability whereby we were not clearing other headers
---
 core/nginx/conf/proxy.conf | 7 ++++++-
 docs/configuration.rst     | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/core/nginx/conf/proxy.conf b/core/nginx/conf/proxy.conf
index 5dcb784a..e4ff6c93 100644
--- a/core/nginx/conf/proxy.conf
+++ b/core/nginx/conf/proxy.conf
@@ -1,7 +1,12 @@
 # Default proxy setup
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header True-Client-IP $remote_addr;
 proxy_set_header Forwarded "";
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+{% if REAL_IP_HEADER and REAL_IP_FROM %}
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+{% else %}
+proxy_set_header X-Forwarded-For $remote_addr;
+{% endif %}
 proxy_http_version 1.1;
diff --git a/docs/configuration.rst b/docs/configuration.rst
index 27f8db7d..3d536fd4 100644
--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@@ -169,6 +169,7 @@ The ``LETSENCRYPT_SHORTCHAIN`` (default: False) setting controls whether we send
 
 .. _`android handsets older than 7.1.1`: https://community.letsencrypt.org/t/production-chain-changes/150739
 
+The ``REAL_IP_HEADER`` (default: unset) and ``REAL_IP_FROM`` (default: unset) settings controls whether HTTP headers such as ``X-Forwarded-For`` or ``X-Real-IP`` should be trusted. The former should be the name of the HTTP header to extract the client IP address from and the later a comma separated list of IP addresses designing which proxies to trust. If you are using Mailu behind a reverse proxy, you should set both. Setting the former without the later introduces a security vulnerability allowing a potential attacker to spoof his source address.
 
 Antivirus settings
 ------------------

From 8106892ee804f7009d032cad8031199bf33f0326 Mon Sep 17 00:00:00 2001
From: Florent Daigniere <nextgens@freenetproject.org>
Date: Sat, 28 Aug 2021 10:06:22 +0200
Subject: [PATCH 3/3] towncrier

---
 towncrier/newsfragments/1960.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 towncrier/newsfragments/1960.bugfix

diff --git a/towncrier/newsfragments/1960.bugfix b/towncrier/newsfragments/1960.bugfix
new file mode 100644
index 00000000..ecf5ac50
--- /dev/null
+++ b/towncrier/newsfragments/1960.bugfix
@@ -0,0 +1 @@
+Ensure that we do not trust the source-ip address set in headers if REAL_IP_HEADER isn't set. If you are using Mailu behind a reverse proxy, please ensure that you do read the documentation.