paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 13:33:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: Clarify that trust of X-Fowarded-Proto is also necessary.

Browse Source 
Previously, `X-Forwarded-Proto` did not need to be set, and failure to
set `loadbalancer.ips` would merely result in bad IP-address
rate-limiting and incorrect access logs; after 0935d388f0, however,
failure to do either of those, if Zulip is deployed with `http_only`,
will lead to infinite redirect loops after login.  These are
accompanied by a misleading error, from Tornado, of:

    Forbidden (Origin checking failed - https://zulip.example.com does not match any trusted origins.): /json/events

This is most common with Docker deployments, where deployments use
another docker container, such as nginx or Traefik, to do SSL
termination.  See zulip/docker-zulip#403.

Update the documentation to reinforce that `loadbalancer.ips` also
controls trust of `X-Forwarded-Proto`, and that failure to set it will
cause the application to not function correctly.

(cherry picked from commit d46279c41e)
This commit is contained in:
Alex Vandiver
2023-06-14 02:01:53 +00:00
parent 9b950f9c6a
commit e921c7dafe
2 changed files with 21 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
docs/overview/changelog.md
View File

@@ -182,14 +182,15 @@ up-to-date list of all changes.
- PostgreSQL 11 is no longer supported; if you are currently using it, you will
need to [upgrade PostgreSQL](../production/upgrade.md#upgrading-postgresql)
before upgrading Zulip.
- Installations that deploy Zulip behind a [reverse
proxy][reverse-proxy-docs] should make sure the proxy is configured
to set the `X-Forwarded-Proto` HTTP header; the documentation has
updated example configuration.
- Installations that deploy Zulip behind a [reverse proxy][reverse-proxy-docs]
should make sure the proxy is configured to set the `X-Forwarded-Proto` HTTP
header, and that [`loadbalancer.ips` is accurate][loadbalancer-ips] for the
reverse proxy's IP; the documentation has updated its example configurations.
- Zulip's Twitter preview integration has been disabled due to Twitter
desupporting the API that it relied on.
[reverse-proxy-docs]: ../production/deployment.md#putting-the-zulip-application-behind-a-reverse-proxy
[loadbalancer-ips]: ../production/deployment.md#configuring-zulip-to-trust-proxies
## Zulip 6.x series