From 5c3c0d0d588bce8669240c41ff123a45502bad8d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 23 Dec 2021 18:47:50 +0200 Subject: [PATCH] Set Dendrite's real_ip_header correctly --- group_vars/matrix_servers | 2 ++ roles/matrix-dendrite/defaults/main.yml | 4 ++++ roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 | 1 + 3 files changed, 7 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 864f7702a..57319eba0 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2231,6 +2231,8 @@ matrix_dendrite_container_http_host_bind_address: "{{ '' if matrix_nginx_proxy_e # For exposing Dendrite's HTTPS server to the local host. matrix_dendrite_container_https_host_bind_address: "{{ '' if matrix_nginx_proxy_enabled or not matrix_dendrite_https_bind_port else ('127.0.0.1:' + matrix_dendrite_https_bind_port|string) }}" +matrix_dendrite_sync_api_real_ip_header: "{{ 'X-Forwarded-For' if matrix_nginx_proxy_enabled else '' }}" + matrix_dendrite_registration_shared_secret: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.rss') | to_uuid }}" matrix_dendrite_database_password: "{{ matrix_homeserver_generic_secret_key | password_hash('sha512', 'dendrite.db') | to_uuid }}" diff --git a/roles/matrix-dendrite/defaults/main.yml b/roles/matrix-dendrite/defaults/main.yml index 840ef9ecf..237895403 100644 --- a/roles/matrix-dendrite/defaults/main.yml +++ b/roles/matrix-dendrite/defaults/main.yml @@ -68,6 +68,10 @@ matrix_dendrite_allow_guest_access: false matrix_dendrite_max_file_size_bytes: 10485760 +# Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client. +# This is likely required if Dendrite is running behind a reverse proxy server. +matrix_dendrite_sync_api_real_ip_header: '' + # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads. matrix_dendrite_tmp_directory_size_mb: 500 diff --git a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 index c512904eb..102dd2f59 100644 --- a/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 +++ b/roles/matrix-dendrite/templates/dendrite/dendrite.yaml.j2 @@ -339,6 +339,7 @@ sync_api: # address of the client. This is likely required if Dendrite is running behind # a reverse proxy server. # real_ip_header: X-Real-IP + real_ip_header: {{ matrix_dendrite_sync_api_real_ip_header|to_json }} # Configuration for the User API. user_api: