Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use nginx realip module #2977

Merged
merged 2 commits into from
May 6, 2024
Merged

fix: use nginx realip module #2977

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bbef5f5
fix: use nginx realip module
oioki Apr 19, 2024
f2a4b55
use Docker default address pools
oioki Apr 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
fix: use nginx realip module
  • Loading branch information
@oioki
oioki committed Apr 19, 2024
commit bbef5f538bf1f99e5468e4cdaa38b1dd31f60581
8 changes: 7 additions & 1 deletion nginx/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,17 @@ http {
proxy_next_upstream error timeout invalid_header http_502 http_503 non_idempotent;
proxy_next_upstream_tries 2;

set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is up for debate, but I think proper list of internal subnets should be acquired from here: https://en.wikipedia.org/wiki/Reserved_IP_addresses. Also considering that the address might come from an IPv6 address. But if this turns out to be out of scope, then these addresses are fine.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These should be docker default subnets which are:

https://github.com/moby/libnetwork/blob/3797618f9a38372e8107d8c06f6ae199e1133ae8/ipamutils/utils.go#L10-L22 :

172.17.0.0/16
172.18.0.0/16
172.19.0.0/16
172.20.0.0/14
172.24.0.0/14
172.28.0.0/14
192.168.0.0/16
10.0.0.0/8

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aminvakil Thank you for the reference! That seems the most correct subnet list.

real_ip_header X-Forwarded-For;
real_ip_recursive on;

# Remove the Connection header if the client sends it,
# it could be "close" to close a keepalive connection
proxy_set_header Connection '';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-For $remote_addr;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this might break some installations that have multiple hops before this Nginx, e.g. when the self-hosted installation is behind Google/AWS load balancers that normally add a bunch of records to X-Forwarded-For header automatically.

That means that we should highlight this in the release notes, and point to recommendations around "how to pass the trusted client IP to the Sentry backend".

proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Request-Id $request_id;
proxy_read_timeout 30s;
Expand Down
Loading