-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rack attack sees wrong IP address when configured with addtional proxy #1138
Comments
I'm using Traefik for SSL termination and can confirm this behaviour. Unfortunately I haven't found a workaround yet. |
I see this too with haproxy in front of gitlab. |
I guess using the nginx real IP module with the inner nginx inside the container could help: |
We have the same problem! |
I just noticed that this was fixed in #1137, you can solve the issue by configuring NGINX_REAL_IP_RECURSIVE and NGINX_REAL_IP_TRUSTED_ADDRESSES accordingly. |
@jeinwag This solution doesn't work well. is it possible that gitlab just take into account X-Real-IP? |
I have this exact problem. I also use my nginx to do SSL management. Doesn't it make more sense to just use the X-* HTTP headers? It's a pretty standard mechanism. |
Currently, the X-Real-IP header gets set/overwritten by the proxy running inside the gitlab container. I guess you could remove it from the config there and have it set by your outer proxy. But I'm not sure what other usecases might break by removing the X-Real-IP from the configuration of the inner proxy. |
@jeinwag could you configure nginx in a way that if NGINX_REAL_IP_RECURSIVE is set to true and NGINX_REAL_IP_TRUSTED_ADDRESSES is not set, then it takes into account X-Real-IP otherwise not. this should not break existing behaviour because for now NGINX_REAL_IP_TRUSTED_ADDRESSES is mandatory if NGINX_REAL_IP_RECURSIVE is set to true. Or simple another environment flag NGINX_USE_REAL_IP_HEADER :) Would appreciate a lot! |
We're running gitlab behind an addtional nginx proxy (used for Let's Encrypt support/SSL termination).
Configuration looks like this:
Even though the X-Forwarded-For header is set, it seems rack attack only sees the same IP address for all requests (the address of the machine running gitlab and nginx). Blacklisting that IP address will of course make gitlab unusable for everyone.
I guess this is due to the second nginx proxy running inside the gitlab container.
Any ideas how to work around this issue?
The text was updated successfully, but these errors were encountered: