docs: Clarify that trust of X-Fowarded-Proto is also necessary.

Previously, `X-Forwarded-Proto` did not need to be set, and failure to
set `loadbalancer.ips` would merely result in bad IP-address
rate-limiting and incorrect access logs; after 0935d388f0, however,
failure to do either of those, if Zulip is deployed with `http_only`,
will lead to infinite redirect loops after login.  These are
accompanied by a misleading error, from Tornado, of:

    Forbidden (Origin checking failed - https://zulip.example.com does not match any trusted origins.): /json/events

This is most common with Docker deployments, where deployments use
another docker container, such as nginx or Traefik, to do SSL
termination.  See zulip/docker-zulip#403.

Update the documentation to reinforce that `loadbalancer.ips` also
controls trust of `X-Forwarded-Proto`, and that failure to set it will
cause the application to not function correctly.
This commit is contained in:
Alex Vandiver 2023-06-14 02:01:53 +00:00 committed by Tim Abbott
parent 6c3969f893
commit d46279c41e
2 changed files with 21 additions and 15 deletions

View File

@ -192,14 +192,15 @@ log][commit-log] for an up-to-date list of all changes.
- PostgreSQL 11 is no longer supported; if you are currently using it, you will
need to [upgrade PostgreSQL](../production/upgrade.md#upgrading-postgresql)
before upgrading Zulip.
- Installations that deploy Zulip behind a [reverse
proxy][reverse-proxy-docs] should make sure the proxy is configured
to set the `X-Forwarded-Proto` HTTP header; the documentation has
updated example configuration.
- Installations that deploy Zulip behind a [reverse proxy][reverse-proxy-docs]
should make sure the proxy is configured to set the `X-Forwarded-Proto` HTTP
header, and that [`loadbalancer.ips` is accurate][loadbalancer-ips] for the
reverse proxy's IP; the documentation has updated its example configurations.
- Zulip's Twitter preview integration has been disabled due to Twitter
desupporting the API that it relied on.
[reverse-proxy-docs]: ../production/deployment.md#putting-the-zulip-application-behind-a-reverse-proxy
[loadbalancer-ips]: ../production/deployment.md#configuring-zulip-to-trust-proxies
## Zulip 6.x series

View File

@ -407,17 +407,22 @@ requests from a reverse proxy as follows:
1. Finally, restart the Zulip server, using
`/home/zulip/deployments/current/scripts/restart-server`.
Note that Zulip must be able to accurately determine if its connection to the
client was over HTTPS or not; if you enable `http_only`, it is very important
that you correctly configure Zulip to trust the `X-Forwarded-Proto` header from
its proxy (see the next section), or clients may see infinite redirects.
#### Configuring Zulip to trust proxies
Before placing Zulip behind a reverse proxy, it needs to be configured
to trust the client IP addresses that the proxy reports via the
`X-Forwarded-For` header. This is important to have accurate IP
addresses in server logs, as well as in notification emails which are
sent to end users. Zulip doesn't default to trusting all
`X-Forwarded-For` headers, because doing so would allow clients to
spoof any IP address; we specify which IP addresses are the Zulip
server's incoming proxies, so we know how much of the
`X-Forwarded-For` header to trust.
Before placing Zulip behind a reverse proxy, it needs to be configured to trust
the client IP addresses that the proxy reports via the `X-Forwarded-For` header,
and the protocol reported by the `X-Forwarded-Proto` header. This is important
to have accurate IP addresses in server logs, as well as in notification emails
which are sent to end users. Zulip doesn't default to trusting all
`X-Forwarded-*` headers, because doing so would allow clients to spoof any IP
address, and claim connections were over a secure connection when they were not;
we specify which IP addresses are the Zulip server's incoming proxies, so we
know which `X-Forwarded-*` headers to trust.
1. Determine the IP addresses of all reverse proxies you are setting up, as seen
from the Zulip host. Depending on your network setup, these may not be the
@ -956,8 +961,8 @@ which have more than 20k users.
#### `ips`
Comma-separated list of IP addresses or netmasks of external load balancers
whose `X-Forwarded-For` should be respected. These can be individual IP
addresses, or CIDR IP address ranges.
whose `X-Forwarded-For` and `X-Forwarded-Proto` should be respected. These can
be individual IP addresses, or CIDR IP address ranges.
### `[http_proxy]`