mirror of https://github.com/zulip/zulip.git
nginx: Suppress proxy warnings when the proxy itself sent the request.
This is common in cases where the reverse proxy itself is making health-check requests to the Zulip server; these requests have no X-Forwarded-* headers, so would normally hit the error case of "request through the proxy, but no X-Forwarded-Proto header". Add an additional special-case for when the request's originating IP address is resolved to be the reverse proxy itself; in these cases, HTTP requests with no X-Forwarded-Proto are acceptable.
This commit is contained in:
Alex Vandiver
Tim Abbott
parent
a8e1c22687
commit
135acfea93
|
|
@ -8,9 +8,9 @@ map $http_x_forwarded_for $x_proxy_misconfiguration {
|
|||
"~." "No proxies configured in Zulip, but proxy headers detected from proxy at $remote_addr; see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
|
||||
}
|
||||
<% else %>
|
||||
# We do this in two steps because `geo` does not support variable
|
||||
# interpolation in the value, but does support CIDR notation,
|
||||
# which the loadbalancer list may use.
|
||||
# Check if the request's original `REMOTE_ADDR` header was from a
|
||||
# trusted host -- that is, the request did bounce through a proxy and
|
||||
# we should trust `X-Forwarded-Proto`
|
||||
geo $realip_remote_addr $is_x_forwarded_proto_trusted {
|
||||
default 0;
|
||||
<% @loadbalancers.each do |host| -%>
|
||||
|
|
@ -18,13 +18,27 @@ geo $realip_remote_addr $is_x_forwarded_proto_trusted {
|
|||
<% end -%>
|
||||
}
|
||||
|
||||
# Check if the IP address that we resolved the request as coming
|
||||
# (after looking at X-Fowarded-For, if any) from is actually the proxy
|
||||
# itself.
|
||||
geo $remote_addr $is_from_proxy {
|
||||
default 0;
|
||||
<% @loadbalancers.each do |host| -%>
|
||||
<%= host %> 1;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
# We set $trusted_x_forwarded_proto in two steps because `geo` does
|
||||
# not support variable interpolation in the value, but does support
|
||||
# CIDR notation, which the loadbalancer list may use.
|
||||
map $is_x_forwarded_proto_trusted $trusted_x_forwarded_proto {
|
||||
0 $scheme;
|
||||
1 $http_x_forwarded_proto;
|
||||
}
|
||||
map "$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $x_proxy_misconfiguration {
|
||||
"~^0:" "Incorrect reverse proxy IPs set in Zulip (try $remote_addr?); see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
|
||||
"~^1:$" "No X-Forwarded-Proto header sent from trusted proxy $realip_remote_addr; see example configurations in https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
|
||||
|
||||
map "$is_from_proxy:$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $x_proxy_misconfiguration {
|
||||
"~^0:0:" "Incorrect reverse proxy IPs set in Zulip (try $remote_addr?); see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
|
||||
"~^0:1:$" "No X-Forwarded-Proto header sent from trusted proxy $realip_remote_addr; see example configurations in https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
|
||||
default "";
|
||||
}
|
||||
<% end %>
|
||||
|
|
|
|||
|
|
@ -622,7 +622,7 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
|
|||
# Our nginx configuration sets this header if:
|
||||
# - there is an X-Forwarded-For set but no proxies configured in Zulip
|
||||
# - proxies are configured but the request did not come from them
|
||||
# - proxies are configured and the request came from them,
|
||||
# - proxies are configured and the request came through them,
|
||||
# but there was no X-Forwarded-Proto header
|
||||
#
|
||||
# Note that the first two may be false-positives. We only
|
||||
|
|
@ -639,10 +639,14 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
|
|||
# client which is providing proxy headers to a correctly
|
||||
# configured Zulip.
|
||||
#
|
||||
# There is a complication to the above logic -- we do expect
|
||||
# that requests not through the proxy may happen from
|
||||
# localhost over HTTP (e.g. the email gateway). Skip warnings
|
||||
# if the remote IP is localhost.
|
||||
# There are a couple complications to the above logic --
|
||||
# first, we do expect that requests not through the proxy may
|
||||
# happen from localhost over HTTP (e.g. the email gateway).
|
||||
# Second, we also expect that the proxy itself may make
|
||||
# healthcheck requests, which will not have an
|
||||
# X-Forwarded-Proto or X-Forwarded-For. We handle the latter
|
||||
# case in the nginx config (as it involves CIDRs and proxy
|
||||
# ranges) and the former case here.
|
||||
if (
|
||||
proxy_state_header != ""
|
||||
and not request.is_secure()
|
||||
|
|
|
|||
Loading…
Reference in New Issue