-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix respect of x-real-ip / x-forwarded-for headers in context #16443
Conversation
According to the https://docs.gitea.io/en-us/fail2ban-setup gitea respects the X-Real-IP forwarded proxy header and according to the implementation prior to the commit below also X-Forwarded-For. 6433ba0 removes this logic, see https://github.com/go-gitea/gitea/blob/b223d361955f8b722f7dd0b358b2e57e6f359edf/modules/context/context.go line 514. This commit reverts the implementation and adds basic unit tests for it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this PR :)
A note: this should only accept these headers if ctx.Req.RemoteAddr belongs to a trusted IP/range per some configuration value
Alright, so my assumption is correct that the fail2ban instructions in the docs can't work in a setup with reverse proxy?
Why is that? Could you elaborate what the rational is here? Also regarding the failing CI: When I do the import |
We already handle the X-Real-IP and X-Forwarded-For headers on the request in #14959 Have you set the REVERSE_PROXY_TRUSTED_PROXIES and REVERSE_PROXY_LIMIT correctly? |
well maybe I shouldve just created an issue - I wanted to configure fail2ban as specified in the docs (in a nginx -> docker gitea setup) but this does not work as is described. Thanks for your input. |
Perhaps you could change this PR to make those changes instead. |
Yes, just wanted to try it first. Works perfectly. See PR here |
#16446) Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers. This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately. See discussion in #16443 Co-authored-by: zeripath <art27@cantab.net>
go-gitea#16446) Following the merging of go-gitea#14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers. This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately. See discussion in go-gitea#16443 Co-authored-by: zeripath <art27@cantab.net>
According to the https://docs.gitea.io/en-us/fail2ban-setup gitea
respects the X-Real-IP forwarded proxy header and according to the implementation
prior to the commit below also X-Forwarded-For.
6433ba0 removes this logic,
see https://github.com/go-gitea/gitea/blob/b223d361955f8b722f7dd0b358b2e57e6f359edf/modules/context/context.go line 514.
This commit reverts the implementation and adds basic unit tests for it.