paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-30 19:43:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

nginx: Suppress proxy warnings when the proxy itself sent the request.

Browse Source 
This is common in cases where the reverse proxy itself is making
health-check requests to the Zulip server; these requests have no
X-Forwarded-* headers, so would normally hit the error case of
"request through the proxy, but no X-Forwarded-Proto header".

Add an additional special-case for when the request's originating IP
address is resolved to be the reverse proxy itself; in these cases,
HTTP requests with no X-Forwarded-Proto are acceptable.
This commit is contained in:
Alex Vandiver
2023-09-12 15:09:42 +00:00
committed by Tim Abbott
parent d9c94944e0
commit 761dae7571
2 changed files with 29 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
puppet/zulip/templates/nginx/trusted-proto.template.erb
View File

@@ -8,9 +8,9 @@ map $http_x_forwarded_for $x_proxy_misconfiguration {
"~." "No proxies configured in Zulip, but proxy headers detected from proxy at $remote_addr; see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy"; "~." "No proxies configured in Zulip, but proxy headers detected from proxy at $remote_addr; see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
} }
<% else %> <% else %>
# We do this in two steps because `geo` does not support variable # Check if the request's original `REMOTE_ADDR` header was from a
# interpolation in the value, but does support CIDR notation, # trusted host -- that is, the request did bounce through a proxy and
# which the loadbalancer list may use. # we should trust `X-Forwarded-Proto`
geo $realip_remote_addr $is_x_forwarded_proto_trusted { geo $realip_remote_addr $is_x_forwarded_proto_trusted {
default 0; default 0;
<% @loadbalancers.each do |host| -%> <% @loadbalancers.each do |host| -%>
@@ -18,13 +18,27 @@ geo $realip_remote_addr $is_x_forwarded_proto_trusted {
<% end -%> <% end -%>
} }
# Check if the IP address that we resolved the request as coming
# (after looking at X-Fowarded-For, if any) from is actually the proxy
# itself.
geo $remote_addr $is_from_proxy {
default 0;
<% @loadbalancers.each do |host| -%>
<%= host %> 1;
<% end -%>
}
# We set $trusted_x_forwarded_proto in two steps because `geo` does
# not support variable interpolation in the value, but does support
# CIDR notation, which the loadbalancer list may use.
map $is_x_forwarded_proto_trusted $trusted_x_forwarded_proto { map $is_x_forwarded_proto_trusted $trusted_x_forwarded_proto {
0 $scheme; 0 $scheme;
1 $http_x_forwarded_proto; 1 $http_x_forwarded_proto;
} }
map "$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $x_proxy_misconfiguration {
"~^0:" "Incorrect reverse proxy IPs set in Zulip (try $remote_addr?); see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy"; map "$is_from_proxy:$is_x_forwarded_proto_trusted:$http_x_forwarded_proto" $x_proxy_misconfiguration {
"~^1:$" "No X-Forwarded-Proto header sent from trusted proxy $realip_remote_addr; see example configurations in https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy"; "~^0:0:" "Incorrect reverse proxy IPs set in Zulip (try $remote_addr?); see https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
"~^0:1:$" "No X-Forwarded-Proto header sent from trusted proxy $realip_remote_addr; see example configurations in https://zulip.readthedocs.io/en/latest/production/deployment.html#putting-the-zulip-application-behind-a-reverse-proxy";
default ""; default "";
} }
<% end %> <% end %>

14
zerver/middleware.py
View File

@@ -621,7 +621,7 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
# Our nginx configuration sets this header if: # Our nginx configuration sets this header if:
# - there is an X-Forwarded-For set but no proxies configured in Zulip # - there is an X-Forwarded-For set but no proxies configured in Zulip
# - proxies are configured but the request did not come from them # - proxies are configured but the request did not come from them
# - proxies are configured and the request came from them, # - proxies are configured and the request came through them,
# but there was no X-Forwarded-Proto header # but there was no X-Forwarded-Proto header
# #
# Note that the first two may be false-positives. We only # Note that the first two may be false-positives. We only
@@ -638,10 +638,14 @@ class DetectProxyMisconfiguration(MiddlewareMixin):
# client which is providing proxy headers to a correctly # client which is providing proxy headers to a correctly
# configured Zulip. # configured Zulip.
# #
# There is a complication to the above logic -- we do expect # There are a couple complications to the above logic --
# that requests not through the proxy may happen from # first, we do expect that requests not through the proxy may
# localhost over HTTP (e.g. the email gateway). Skip warnings # happen from localhost over HTTP (e.g. the email gateway).
# if the remote IP is localhost. # Second, we also expect that the proxy itself may make
# healthcheck requests, which will not have an
# X-Forwarded-Proto or X-Forwarded-For. We handle the latter
# case in the nginx config (as it involves CIDRs and proxy
# ranges) and the former case here.
if ( if (
proxy_state_header != "" proxy_state_header != ""
and not request.is_secure() and not request.is_secure()