paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-02 04:53:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx: Suppress proxy warnings when the proxy itself sent the request.

Browse Source 
This is common in cases where the reverse proxy itself is making
health-check requests to the Zulip server; these requests have no
X-Forwarded-* headers, so would normally hit the error case of
"request through the proxy, but no X-Forwarded-Proto header".

Add an additional special-case for when the request's originating IP
address is resolved to be the reverse proxy itself; in these cases,
HTTP requests with no X-Forwarded-Proto are acceptable.
This commit is contained in:
Alex Vandiver
2023-09-12 15:09:42 +00:00
committed by Tim Abbott
parent d9c94944e0
commit 761dae7571
2 changed files with 29 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
zerver/middleware.py
View File

@@ -621,7 +621,7 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
# Our nginx configuration sets this header if:
# - there is an X-Forwarded-For set but no proxies configured in Zulip
# - proxies are configured but the request did not come from them
# - proxies are configured and the request came from them,
# - proxies are configured and the request came through them,
# but there was no X-Forwarded-Proto header
#
# Note that the first two may be false-positives. We only
@@ -638,10 +638,14 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
# client which is providing proxy headers to a correctly
# configured Zulip.
#
# There is a complication to the above logic -- we do expect
# that requests not through the proxy may happen from
# localhost over HTTP (e.g. the email gateway). Skip warnings
# if the remote IP is localhost.
# There are a couple complications to the above logic --
# first, we do expect that requests not through the proxy may
# happen from localhost over HTTP (e.g. the email gateway).
# Second, we also expect that the proxy itself may make
# healthcheck requests, which will not have an
# X-Forwarded-Proto or X-Forwarded-For. We handle the latter
# case in the nginx config (as it involves CIDRs and proxy
# ranges) and the former case here.
if (
proxy_state_header != ""
and not request.is_secure()