feat: configure trust x-forwarded-for headers via nginx:set iso trust by default, refs #4339

docs/configuration/ssl.md

@@ -136,9 +136,12 @@ Certain versions of nginx have bugs that prevent [HTTP/2](https://nginx.org/en/d
 
 Your application has access to the HTTP headers `X-Forwarded-Proto`, `X-Forwarded-Port` and `X-Forwarded-For`. These headers indicate the protocol of the original request (HTTP or HTTPS), the port number, and the IP address of the client making the request, respectively. The default configuration is for Nginx to set these headers.
 
-By default, Dokku will append the IP address of the Nginx server to the `X-Forwarded-For`. To your application, `X-Forwarded-For` will contain a list of the IP address of the client making the request, any intermediate load balancer and the Nginx IP address.
+If your server runs behind an HTTP(S) load balancer, then Nginx will see all requests as coming from the load balancer. If your load balancer sets the `X-Forwarded-` headers, you can tell Nginx to pass these headers from load balancer to your application via `nginx:set`:
 
-If you do not want this behavior, you can create a [custom nginx template](/docs/configuration/nginx.md#customizing-the-nginx-configuration) that resets the `X-Forwarded-For` header to a specific value (i.e. `$remote_addr`).
+```shell
+dokku nginx:set node-js-app trust-x-forwarded-for true
+dokku nginx:set node-js-app trust-x-forwarded-for false
+```
 
 ### SSL Port Exposure
 

plugins/nginx-vhosts/functions

@@ -462,6 +462,8 @@ nginx_build_config() {
       local NGINX_BIND_ADDRESS_IP6="$(fn-plugin-property-get-default "nginx" "$APP" "bind-address-ipv6" "::")"
       [[ -z "$NGINX_BIND_ADDRESS_IP6" ]] && NGINX_BIND_ADDRESS_IP6="::"
 
+      local PROXY_TRUST_X_FORWARDED_FOR="$(fn-plugin-property-get-default "nginx" "$APP" "trust-x-forwarded-for" "false")"
+
       eval "$(config_export app "$APP")"
       local SIGIL_PARAMS=(-f "$NGINX_TEMPLATE" APP="$APP" DOKKU_ROOT="$DOKKU_ROOT"
         NOSSL_SERVER_NAME="$NOSSL_SERVER_NAME"
@@ -490,7 +492,8 @@ nginx_build_config() {
         # Deprecated: Remove this after a few versions
         NGINX_PORT="$PROXY_PORT" NGINX_SSL_PORT="$PROXY_SSL_PORT"
         PROXY_PORT="$PROXY_PORT" PROXY_SSL_PORT="$PROXY_SSL_PORT" RAW_TCP_PORTS="$RAW_TCP_PORTS"
-        PROXY_PORT_MAP="$PROXY_PORT_MAP" PROXY_UPSTREAM_PORTS="$PROXY_UPSTREAM_PORTS")
+        PROXY_PORT_MAP="$PROXY_PORT_MAP" PROXY_UPSTREAM_PORTS="$PROXY_UPSTREAM_PORTS"
+        PROXY_TRUST_X_FORWARDED_FOR="$PROXY_TRUST_X_FORWARDED_FOR")
 
       local DOKKU_SCALE_FILE="$DOKKU_ROOT/$APP/DOKKU_SCALE"
       while read -r line || [[ -n "$line" ]]; do

plugins/nginx-vhosts/templates/nginx.conf.sigil

@@ -34,7 +34,7 @@ server {
     proxy_set_header Connection $http_connection;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-For {{ if $.PROXY_TRUST_X_FORWARDED_FOR eq "true" }}$proxy_add_x_forwarded_for{{ else }}$remote_addr{{ end }};
     proxy_set_header X-Forwarded-Port $server_port;
     proxy_set_header X-Request-Start $msec;
   }
@@ -97,7 +97,7 @@ server {
     proxy_set_header Connection $http_connection;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-For {{ if $.PROXY_TRUST_X_FORWARDED_FOR eq "true" }}$proxy_add_x_forwarded_for{{ else }}$remote_addr{{ end }};
     proxy_set_header X-Forwarded-Port $server_port;
     proxy_set_header X-Request-Start $msec;
   }