Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix respect of x-real-ip / x-forwarded-for headers in context #16443

Closed
wants to merge 2 commits into from
Closed

Fix respect of x-real-ip / x-forwarded-for headers in context #16443

wants to merge 2 commits into from

Conversation

dosera
Copy link
Contributor

@dosera dosera commented Jul 15, 2021

According to the https://docs.gitea.io/en-us/fail2ban-setup gitea
respects the X-Real-IP forwarded proxy header and according to the implementation
prior to the commit below also X-Forwarded-For.

6433ba0 removes this logic,
see https://github.com/go-gitea/gitea/blob/b223d361955f8b722f7dd0b358b2e57e6f359edf/modules/context/context.go line 514.

This commit reverts the implementation and adds basic unit tests for it.

@dosera
Fix respect of x-real-ip / x-forwarded-for headers in context
36bf203 
According to the https://docs.gitea.io/en-us/fail2ban-setup gitea
respects the X-Real-IP forwarded proxy header and according to the implementation
prior to the commit below also X-Forwarded-For.

6433ba0 removes this logic,
see https://github.com/go-gitea/gitea/blob/b223d361955f8b722f7dd0b358b2e57e6f359edf/modules/context/context.go line 514.

This commit reverts the implementation and adds basic unit tests for it.
techknowlogick
techknowlogick reviewed Jul 15, 2021
View reviewed changes
Copy link
Member

@techknowlogick techknowlogick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this PR :)

A note: this should only accept these headers if ctx.Req.RemoteAddr belongs to a trusted IP/range per some configuration value

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 15, 2021
@dosera
Copy link
Contributor Author

dosera commented Jul 15, 2021
edited
Loading

Alright, so my assumption is correct that the fail2ban instructions in the docs can't work in a setup with reverse proxy?
Also what configuration are you referring to? Any hints on where to start?

A note: this should only accept these headers if ctx.Req.RemoteAddr belongs to a trusted IP/range per some configuration value

Why is that? Could you elaborate what the rational is here?

Also regarding the failing CI: When I do the import "code.gitea.io/gitea/modules/context" it works locally but fails in CI. If I remove this it fails locally and in CI. Might this be related to the go version? I am running with 1.16.5

@zeripath
Copy link
Contributor

We already handle the X-Real-IP and X-Forwarded-For headers on the request in #14959

Have you set the REVERSE_PROXY_TRUSTED_PROXIES and REVERSE_PROXY_LIMIT correctly?

@zeripath zeripath added the status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR label Jul 15, 2021
@dosera
Copy link
Contributor Author

dosera commented Jul 15, 2021
edited
Loading

We already handle the X-Real-IP and X-Forwarded-For headers on the request in #14959

Have you set the REVERSE_PROXY_TRUSTED_PROXIES and REVERSE_PROXY_LIMIT correctly?

well maybe I shouldve just created an issue - I wanted to configure fail2ban as specified in the docs (in a nginx -> docker gitea setup) but this does not work as is described.
So I suppose REVERSE_PROXY_LIMIT defaults to 0?
Also mentioning this somewhere in the f2b docs would be very helpful.

Thanks for your input.

@zeripath
Copy link
Contributor

Perhaps you could change this PR to make those changes instead.

@dosera dosera mentioned this pull request Jul 15, 2021
Merged
@dosera
Copy link
Contributor Author

dosera commented Jul 15, 2021

Perhaps you could change this PR to make those changes instead.

Yes, just wanted to try it first. Works perfectly. See PR here

@dosera dosera closed this Jul 15, 2021
zeripath added a commit that referenced this pull request Jul 16, 2021
@dosera @zeripath
Extend the fail2ban instructions with a hint on how to make X-Real-IP… (
95f4004 
#16446)

Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers.

This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately.

See discussion in #16443

Co-authored-by: zeripath <art27@cantab.net>
AbdulrhmnGhanem pushed a commit to kitspace/gitea that referenced this pull request Aug 10, 2021
@dosera @zeripath @AbdulrhmnGhanem
Extend the fail2ban instructions with a hint on how to make X-Real-IP… (
c21fdf7 
go-gitea#16446)

Following the merging of go-gitea#14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers.

This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately.

See discussion in go-gitea#16443

Co-authored-by: zeripath <art27@cantab.net>
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@techknowlogick techknowlogick techknowlogick left review comments

Assignees
No one assigned
Labels
lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. status/blocked This PR cannot be merged yet, i.e. because it depends on another unmerged PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dosera @zeripath @techknowlogick @GiteaBot