Mirrors/dokku
1
0
Fork 0
mirror of https://github.com/dokku/dokku.git synced 2025-12-29 00:25:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: trust proxy_add_x_forwarded_for iso resetting to remote_addr, refs #4339

Browse Source
This commit is contained in:
Bjorn Post
2021-01-18 20:07:55 +01:00
parent 17d2866153
commit 2cdfa1cae1
3 changed files with 6 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
docs/configuration/ssl.md
View File

@@ -136,44 +136,9 @@ Certain versions of nginx have bugs that prevent [HTTP/2](https://nginx.org/en/d
Your application has access to the HTTP headers `X-Forwarded-Proto`, `X-Forwarded-Port` and `X-Forwarded-For`. These headers indicate the protocol of the original request (HTTP or HTTPS), the port number, and the IP address of the client making the request, respectively. The default configuration is for Nginx to set these headers.
If your server runs behind an HTTP(S) load balancer, then Nginx will see all requests as coming from the load balancer. If your load balancer sets the `X-Forwarded-` headers, you can tell Nginx to pass these headers from load balancer to your application by using a [custom nginx template](/docs/configuration/nginx.md#customizing-the-nginx-configuration). The following is a simple example of how to do so.
By default, Dokku will append the IP address of the Nginx server to the `X-Forwarded-For`. To your application, `X-Forwarded-For` will contain a list of the IP address of the client making the request, any intermediate load balancer and the Nginx IP address.
```go
server {
listen [::]:{{ .PROXY_PORT }};
listen {{ .PROXY_PORT }};
server_name {{ .NOSSL_SERVER_NAME }};
access_log /var/log/nginx/{{ .APP }}-access.log;
error_log /var/log/nginx/{{ .APP }}-error.log;
location / {
proxy_pass http://{{ .APP }};
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
proxy_set_header X-Forwarded-For $http_x_forwarded_for;
proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
proxy_set_header X-Request-Start $msec;
}
include {{ .DOKKU_ROOT }}/{{ .APP }}/nginx.conf.d/*.conf;
}
upstream {{ .APP }} {
{{ range .DOKKU_APP_WEB_LISTENERS | split " " }}
server {{ . }};
{{ end }}
}
```
Only use this option if:
1. All requests are terminated at the load balancer, and forwarded to Nginx
2. The load balancer is configured to send the `X-Forwarded-` headers (this may be off by default)
If it's possible to make HTTP(S) requests directly to Nginx, bypassing the load balancer, or if the load balancer is not configured to set these headers, then it becomes possible for a client to set these headers to arbitrary values.
This could result in security issue, for example, if your application looks at the value of the `X-Forwarded-Proto` to determine if the request was made over HTTPS.
If you do not want this behavior, you can create a [custom nginx template](/docs/configuration/nginx.md#customizing-the-nginx-configuration) that resets the `X-Forwarded-For` header to a specific value (i.e. `$remote_addr`).
### SSL Port Exposure