-
-
Notifications
You must be signed in to change notification settings - Fork 312
Fix: adding "APP_TRUSTED_PROXIES" variable #569
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from 6 commits
1b1bc34
16d081c
a7cc10b
253a26e
5a7d8e5
792e200
f34e4ad
0b3f364
7d409f6
9cf6d54
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -49,6 +49,7 @@ DB_USER=${DB_USER:-librenms} | |
| DB_TIMEOUT=${DB_TIMEOUT:-30} | ||
|
|
||
| LIBRENMS_BASE_URL=${LIBRENMS_BASE_URL:-/} | ||
| APP_TRUSTED_PROXIES=${APP_TRUSTED_PROXIES:-"172.17.0.0/16"} | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What do we think about this as a default? I'm unsure since it differs from upstream. But at least you document it.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Your are right this range is wrong, back in the old days I used to do exactly this: everything landed on the default bridge, so whitelisting 172.17.0.0/16 gave you a simple, ready-to-go path between your reverse proxy and any other container you spun up on the host. That's was the intent here. Looking at the example in this repo, we're not even separating the reverse proxy from the LibreNMS server (Traefik and LibreNMS share one compose network), which will be 172.18.0.0/16 most of the time on a basic host. If we want a default to cover more than just the example scenario, it should be 172.16.0.0/12, which covers all the /16 networks Docker hands out on a host of this size. That said, I don't have a strong stake in how this lands, I won't be using it myself (I run this in Kubernetes), I was just trying to make this easier for the most basic Docker deployments. I appreciate your dedication to LibreNMS. Feel free to make whatever adjustments you want to this PR — or close it if that's easier. I don't plan to spend more time on it myself. This wouldn't be the first fix I've submitted that stalled out in rounds of small tweaks. Honestly, I don't think senior contributors like you should have to wait on a drive-by contributor like me for changes you already know should be in there — just make them directly. I'm fine with whatever the result looks like.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hmm, I just noticed.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Im baffled, Strip default away set the description to what ever you like, just get the fix through then we can start tweaking that the bets setting is and how it is best described. This is like not fixing a broken window because you cant decide what color curtains will go with the new window :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You do realize nothing is broken right? I get your frustration with getting the change through, but its better to stay on the side of safely failing on boot rather than exposing company data because someone forgot to change a default setting
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Better analogy, it is like leaving the window open because the window is broken and you don't want people to get in through the broken window. Also, change the window to a door and add a lock... ok I'm lost now. Just like this PR. I don't really use the docker in the real world which is why I ask so many questions. I don't want to break user's installs or expose their data. We are trying to walk a fine line. Changing defaults has much more wide reaching impact and we have to be careful. Not having APP_TRUSTED_PROXIES in the docs was a major oversight and I would have merged that almost right away. Again, I have no idea what is going on with the docker image and a lot of people come in with incorrect assumptions (me included) and have different environments. We can get silly things like duplicate variables. Which is very hard to undo.
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
@Yoyasp have you tested this? It's true that This can be bypassed with the Alternatively, PHP-FPM supports whitelisting individual variables through the security filter by adding The original image sidesteps this for its core settings by writing them into Laravel's .env at container start via the deployment script (rootfs/etc/cont-init.d/03-config.sh). cat >${LIBRENMS_PATH}/.env <<EOL
APP_URL=${LIBRENMS_BASE_URL}
DB_HOST=${DB_HOST}
DB_PORT=${DB_PORT}
DB_DATABASE=${DB_NAME}
DB_USERNAME=${DB_USER}
DB_PASSWORD="${DB_PASSWORD}"
EOLThis is where my pull request went off the rails. My first thought was to simply add So in my latest commit I've taken |
||
|
|
||
| # Timezone | ||
| echo "Setting timezone to ${TZ}..." | ||
|
|
@@ -133,6 +134,7 @@ if [ -z "$DB_PASSWORD" ]; then | |
| fi | ||
| cat >${LIBRENMS_PATH}/.env <<EOL | ||
| APP_URL=${LIBRENMS_BASE_URL} | ||
| APP_TRUSTED_PROXIES=${APP_TRUSTED_PROXIES} | ||
| DB_HOST=${DB_HOST} | ||
| DB_PORT=${DB_PORT} | ||
| DB_DATABASE=${DB_NAME} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Your description could be improved here. Calling out Laravel is probably confusing for most users.
"What is a trusted proxy?"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something like this, but I think my wording still could be improved:
"Allow given IP(s) to inject headers into the HTTP request. This is required to forward the real client IP from reverse proxies. IPs are allowed to inject any header even authentication headers, so take care to restrict this to your actual reverse proxies"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe this?
IP(s) or CIDR ranges allowed to set forwarding headers (X-Forwarded-For, X-Forwarded-Proto, etc.) so the real client IP and protocol survive behind a reverse proxy. These IPs can inject any header, including auth headers, so restrict this to your actual proxies only.