-
-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Use express builtin 'trust proxy' #399
Conversation
This still needs to be debugged, I am getting this error now after these changes: (implying
|
@djm2k we probably shouldn't have called the old one trusted proxies, as it's trying to do a different thing than what setting express's (or nginx's) trusted proxies is doing. Setting express's trusted proxies is a method of excluding proxies that are within your network, leaving what's left as the untrusted client IPs, which you can then rate limit and use to log as the from IP. That's a good setting to have, and if you need it to fix the rate limiting error, then we should add it. But we still want a seperate config item that identifies which IP subnet we trust header auth requests from. Imagine you have your hosted actual and you want to be forced to login when away from your home network, but be auto-logged in when at home, regardless of the device. You need your express trusted proxies to basically include nothing but localhost the two proxy IPs (the proxy that you are using to expose this to the world, and the one for inside your network) In this scenario it's because this is in your home network, and you need to identify any private ip in your network as a client rather than trusted for rate limiting and other client ip middleware). But you want your tusted |
@twk3 I am very confused by the different terms. What you're describing is known to me as "Trusted IP Ranges" or "IP Authentication". Handling this at the express middleware level instead of in the reverse proxy config seems like a mistake which could lead to future admins misconfiguring their setups.
I'd like to setup an E2E test which covers your use-case as well. For me- the whole app is wrapped in Authelia no matter if i am accessing it locally or externally. Let me know what you think |
Yeah, sorry. That was my fault for using trusted proxy as the name. Should have been To fix the naming situation, we probably need to rename the current impl to |
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
👋 Hi! It looks like this PR has not had any changes for a week now. Would you like someone to review this PR? If so - please remove the "[WIP]" prefix from the PR title. That will let the community know that this PR is open for a review. |
This PR was closed because it has been stalled for 5 days with no activity. |
This really needs to be reopened, it's been two months and Actual still cannot deploy behind a proxy. What is actually needed to move this along? |
twk3 has generously taken the above discussion and worked it into changes in Would you like to test the above and report back in #392? Please check the repo's activity in the future: https://github.com/actualbudget/actual-server/activity I will continue working on my |
All of that said, this looks a lot less stale than I thought it was, which is awesome. Apologies for being snippy in my previous reply, I phrased my question pretty badly, it should have been "This seems like a very high priority issue, is there anything that can be done to help fix it or is it just blocked by something else?" |
Changes made
quote_type = single
to.editorconfig
(VSCode kept changing them all to double).trustedProxies
config option to work with expressjs.validateAuthHeader
function and check.Reasoning
validateAuthHeader
which attempted to re-implement logic provided by expressjs itself throughapp.set('trust proxy')
(see docs above)Linked
Ongoing work
trustedProxies
set to:1
with Traefik/Caddy2
with NGINX and Cloudflare proxies10.0.0.0/16,0.233.192.169/32
for manual IP address/subnet CSVfalse
to throwERR_ERL_UNEXPECTED_X_FORWARDED_FOR
when a proxy header is detected (current behaviour)true
to throwERR_ERL_PERMISSIVE_TRUST_PROXY