From f0698ee6414d5006e6d904a96c1f6927a8efb124 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Mar 2021 17:10:10 +0200 Subject: [PATCH] Do not overwrite X-Forwarded-For when reverse-proxying to Synapse We have a flow like this: 1. matrix.DOMAIN vhost (matrix-domain.conf) 2. matrix-synapse vhost (matrix-synapse.conf); or matrix-corporal container, if enabled 3. (optional) matrix-synapse vhost (matrix-synapse.conf), if matrix-corporal enabled 4. matrix-synapse container We are setting `X-Forwarded-For` correctly in step #1, but were overwriting it in step #2 with something inaccurate. Not doing anything in step #2 is better than doing the wrong thing. It's probably best if we append another reverse-proxy address there though, although what we're doing now (with this patch) seems to yield the correct result (when matrix-corporal is not enabled). When matrix-corporal is enabled, we still seem to do the wrong thing for some reason. It's something to be fixed later on. --- .../templates/nginx/conf.d/matrix-synapse.conf.j2 | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 index 7041468ec..4a3a355d3 100644 --- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 +++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2 @@ -79,7 +79,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -90,7 +89,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -106,7 +104,6 @@ server { location ~ {{ location }} { proxy_pass http://user_dir_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -117,7 +114,6 @@ server { location ~ {{ location }} { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% if matrix_nginx_proxy_synapse_presence_disabled %} @@ -125,7 +121,6 @@ server { location ~ ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status { proxy_pass http://frontend_proxy_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endif %} {% endif %} @@ -150,7 +145,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; {% if matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled %} auth_basic "protected"; @@ -172,7 +166,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb }}M; @@ -199,7 +192,6 @@ server { location ~ {{ location }} { proxy_pass http://generic_worker_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; } {% endfor %} {% endif %} @@ -209,7 +201,6 @@ server { location ~ {{ location }} { proxy_pass http://media_repository_upstream$request_uri; proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M; @@ -231,7 +222,6 @@ server { {% endif %} proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; client_body_buffer_size 25M; client_max_body_size {{ matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb }}M;