paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx: Add an option which defaults loadbalancer requests to https.

Browse Source 
In some cases, it is not possible to configure the load-balancer to
add an X-Forwarded-Proto header.  If Zulip is serving its traffic over
HTTP, it will rightly error out, since it cannot guarantee that its
response will be served over an encrypted connection.

Add a new `loadbalancer.rejects_http_requests` settings which serves
as a way for the operator to swear that the load-balancer will *never*
serve responses from Zulip over an unencrypted connection.  In most
cases, this is because the load-balancer is configured to have port 80
always serve an HTTP 301 redirect to the same URL over HTTPS.

Properly configuring the proxy to send `X-Forwarded-Proto` is always a
better solution than using this configuration parameter, so use of
this should be viewed as a last resort.
This commit is contained in:
Alex Vandiver
2025-01-22 17:16:42 +00:00
committed by Tim Abbott
parent b047c4d322
commit 3ec896ebda
4 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
puppet/zulip/manifests/nginx.pp
View File

@@ -56,6 +56,7 @@ class zulip::nginx {
}
$loadbalancers = split(zulipconf('loadbalancer', 'ips', ''), ',')
$lb_rejects_http_requests = zulipconf('loadbalancer', 'rejects_http_requests', false)
file { '/etc/nginx/zulip-include/trusted-proto':
ensure => file,
require => Package[$zulip::common::nginx],

11
puppet/zulip/templates/nginx/trusted-proto.template.erb
View File

@@ -31,14 +31,19 @@ geo $remote_addr $is_from_proxy {
# We set $trusted_x_forwarded_proto in two steps because `geo` does
# not support variable interpolation in the value, but does support
# CIDR notation, which the loadbalancer list may use.
map $is_x_forwarded_proto_trusted $trusted_x_forwarded_proto {
0 $scheme;
1 $http_x_forwarded_proto;
map "$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $trusted_x_forwarded_proto {
"~^0:" $scheme;
<%- if @lb_rejects_http_requests -%>
"~^1:$" "https";
<% end -%>
"~^1:" $http_x_forwarded_proto;
}
map "$is_from_proxy:$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $x_proxy_misconfiguration {
"~^0:0:" "Incorrect reverse proxy IPs set in Zulip (try $remote_addr?); see https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html";
<%- if not @lb_rejects_http_requests -%>
"~^0:1:$" "No X-Forwarded-Proto header sent from trusted proxy $realip_remote_addr; see example configurations in https://zulip.readthedocs.io/en/latest/production/reverse-proxies.html";
<% end -%>
default "";
}
<% end %>