Improve setting IP address of acceptable reverse proxies

ledgersmb · Oct 10, 2021 · e9d657d · e9d657d
1 parent ad3c575
commit e9d657d
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 1 deletion.
diff --git a/doc/conf/apache-vhost.conf b/doc/conf/apache-vhost.conf
@@ -44,6 +44,8 @@ NameVirtualHost *:443
   RewriteRule "\.conf$" - [R=404,L]
 
   # Rewrite non-static content to the application backend
+  RequestHeader set X-Forwarded-Proto "https"
+  RequestHeader set X-Forwarded-Port "443"
   RewriteCond "%{REQUEST_FILENAME}" !-f
   RewriteCond "%{REQUEST_FILENAME}" !-d
   RewriteRule "^/(.*)" "http://localhost:5762/$1" [P]

diff --git a/doc/conf/ledgersmb.conf.default b/doc/conf/ledgersmb.conf.default
@@ -66,6 +66,7 @@ localepath = locale/po
 
 [programs]
 
+
 [mail]
 # The sendmail command is used to send mail unless smtphost is set.
 # sendmail   = /usr/bin/sendmail
@@ -81,6 +82,10 @@ localepath = locale/po
 # This must be set to enable e-mail delivery of backups
 # backup_email_from = backups@lsmb_hosting.com
 
+[proxy]
+# The list of IP addresses from which to accept reverse proxy requests
+# ip = 127.0.0.1/8 ::1/128
+
 [printers]
 # Available printers
 #Laser      = lpr -Plaser

diff --git a/doc/conf/ledgersmb.conf.travis-ci b/doc/conf/ledgersmb.conf.travis-ci
@@ -45,6 +45,10 @@ sendmail   = /usr/bin/sendmail
 # smtptimeout = 60
 # backup_email_from = backups@lsmb_hosting.com
 
+[proxy]
+# The list of IP addresses from which to accept reverse proxy requests
+# ip = 127.0.0.1/8 ::1/128
+
 [printers]
 # Available printers
 Laser      = lpr -Plaser

diff --git a/doc/conf/ledgersmb.conf.unbuilt-dojo b/doc/conf/ledgersmb.conf.unbuilt-dojo
@@ -81,6 +81,10 @@ localepath = locale/po
 # This must be set to enable e-mail delivery of backups
 # backup_email_from = backups@lsmb_hosting.com
 
+[proxy]
+# The list of IP addresses from which to accept reverse proxy requests
+# ip = 127.0.0.1/8 ::1/128
+
 [printers]
 # Available printers
 #Laser      = lpr -Plaser

diff --git a/doc/conf/nginx-vhost.conf b/doc/conf/nginx-vhost.conf
@@ -48,6 +48,7 @@ server {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $host;
      proxy_set_header X-Forwarded-Server $host;
+     proxy_set_header X-Forwarded-Proto $scheme;
   }
 
 }

diff --git a/lib/LedgerSMB/PSGI.pm b/lib/LedgerSMB/PSGI.pm
@@ -214,7 +214,7 @@ sub setup_url_space {
     my $psgi_app = \&psgi_app;
 
     return builder {
-        enable match_if addr([qw{ 127.0.0.0/8 ::1 ::ffff:127.0.0.0/108 }]),
+        enable match_if addr([ split / /, LedgerSMB::Sysconfig::proxy_ip() ]),
             'ReverseProxy';
         enable match_if path(qr!.+\.(css|js|png|ico|jp(e)?g|gif)$!),
             'ConditionalGET';

diff --git a/lib/LedgerSMB/Sysconfig.pm b/lib/LedgerSMB/Sysconfig.pm
@@ -397,6 +397,14 @@ def 'template_ods',
     doc => q{Set to 'disabled' to prevent ODS output formats being made available};
 
 
+### SECTION  ---   reverse proxy
+
+def 'ip',
+    section => 'proxy',
+    default => '127.0.0.1/8 ::1/128 ::ffff:127.0.0.1/108',
+    doc => 'The space separated list of IP addresses (or ranges, using CIDR notation) of acceptable reverse proxies';
+
+
 ### SECTION  ---   mail
 
 def 'sendmail',