Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rack attack sees wrong IP address when configured with addtional proxy #1138

Closed
jeinwag opened this issue Mar 20, 2017 · 9 comments
Closed

Comments

@jeinwag
Copy link

jeinwag commented Mar 20, 2017

We're running gitlab behind an addtional nginx proxy (used for Let's Encrypt support/SSL termination).
Configuration looks like this:

server {
       listen 0.0.0.0:443 ssl;
       server_name my.githost.com;
       ssl_certificate /etc/dehydrated/certs/my.githost.com/fullchain.pem;
       ssl_certificate_key /etc/dehydrated/certs/my.githost.com/privkey.pem;
       server_tokens off;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
       client_max_body_size 200m;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Ssl on;
       proxy_set_header X-Forwarded-Proto $scheme;
       location /.well-known/acme-challenge {
        alias /var/www/dehydrated;
       }

       location / {
        proxy_pass http://gitlab;
       }
}

Even though the X-Forwarded-For header is set, it seems rack attack only sees the same IP address for all requests (the address of the machine running gitlab and nginx). Blacklisting that IP address will of course make gitlab unusable for everyone.

I guess this is due to the second nginx proxy running inside the gitlab container.

Any ideas how to work around this issue?

@lukas-hetzenecker
Copy link

lukas-hetzenecker commented May 18, 2017

I'm using Traefik for SSL termination and can confirm this behaviour. Unfortunately I haven't found a workaround yet.

@stmh
Copy link

stmh commented Jun 23, 2017

I see this too with haproxy in front of gitlab.

@jeinwag
Copy link
Author

jeinwag commented Jun 23, 2017

I guess using the nginx real IP module with the inner nginx inside the container could help:
http://nginx.org/en/docs/http/ngx_http_realip_module.html

@stepan-romankov
Copy link

We have the same problem!

@jeinwag
Copy link
Author

jeinwag commented Oct 4, 2017

I just noticed that this was fixed in #1137, you can solve the issue by configuring NGINX_REAL_IP_RECURSIVE and NGINX_REAL_IP_TRUSTED_ADDRESSES accordingly.

@jeinwag jeinwag closed this as completed Oct 4, 2017
@stepan-romankov
Copy link

stepan-romankov commented Oct 4, 2017

@jeinwag This solution doesn't work well.
We use https://github.com/jwilder/nginx-proxy and proxy itself has dynamic ip address given by docker.

is it possible that gitlab just take into account X-Real-IP?

@Nuxij
Copy link

Nuxij commented Oct 4, 2017

I have this exact problem. I also use my nginx to do SSL management. Doesn't it make more sense to just use the X-* HTTP headers? It's a pretty standard mechanism.

@jeinwag
Copy link
Author

jeinwag commented Oct 5, 2017

Currently, the X-Real-IP header gets set/overwritten by the proxy running inside the gitlab container. I guess you could remove it from the config there and have it set by your outer proxy.

But I'm not sure what other usecases might break by removing the X-Real-IP from the configuration of the inner proxy.

@stepan-romankov
Copy link

@jeinwag could you configure nginx in a way that if NGINX_REAL_IP_RECURSIVE is set to true and NGINX_REAL_IP_TRUSTED_ADDRESSES is not set, then it takes into account X-Real-IP otherwise not.

this should not break existing behaviour because for now NGINX_REAL_IP_TRUSTED_ADDRESSES is mandatory if NGINX_REAL_IP_RECURSIVE is set to true.

Or simple another environment flag NGINX_USE_REAL_IP_HEADER :)

Would appreciate a lot!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants