Skip to content
This repository has been archived by the owner on Nov 25, 2024. It is now read-only.

x-forwarded-for HTTP header not (always) being honored #3286

Closed
zbig-t opened this issue Dec 13, 2023 · 4 comments
Closed

x-forwarded-for HTTP header not (always) being honored #3286

zbig-t opened this issue Dec 13, 2023 · 4 comments

Comments

@zbig-t
Copy link

zbig-t commented Dec 13, 2023

Background information

  • Dendrite version: 0.13.5
  • Postgres
  • Running in Docker in Swam mode
  • Client used: Element

Description

I am running official Docker container image for the latest Dendrite 0.3.15 version in Docker Swarm cluster behind HAproxy. HAproxy is configured to properly set 'x-forwarded-for' (all-lowercase) HTTP header to indicate request's originator's true IP address. Due to peculiarities of how Docker stack works in Swarm mode (containers behind routing mesh and ingress) and also the whole thing being behind reverse proxy, TCP connections received by Dendrite appear to originate from local Docker cluster pool like 10.0.0.x. Due to all that, the 'x-forwarded-for' header, if present, should be relied upon for resolving client's IP. But Dendrite seems to be failing to do so at least in how it establishes user's session IPs as evidenced by the screenshot from Element.

Zrzut ekranu 2023-12-13 o 12 02 00

Steps to reproduce

  • Spin up Dendrite container as a single-replica Docker Swarm service
  • Configure HAProxy in the front of the stack, making sure it passes the 'x-forwarded-for' header to the backend
  • Open Element's "Sessions" screen and see how the IP are reported as being from 10.x.x.x network anyway.
@S7evinK
Copy link
Contributor

S7evinK commented Dec 13, 2023

Did you configure Dendrite to use the header?

dendrite/dendrite-sample.yaml

Lines 284 to 289 in d65449c

# Configuration for the Sync API.
sync_api:
# This option controls which HTTP header to inspect to find the real remote IP
# address of the client. This is likely required if Dendrite is running behind
# a reverse proxy server.
# real_ip_header: X-Real-IP

@zbig-t
Copy link
Author

zbig-t commented Dec 13, 2023

Indeed, I did not 😉 Thank you for your awesomely quick response. Setting real_ip_header to x-forwarded-for did the trick. I have missed this parameter as my config file (autogenerated as per docker install instructions) lacks the comments.

But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)

Best regards
Zbig

@S7evinK
Copy link
Contributor

S7evinK commented Dec 13, 2023

Maybe worth a try and shouldn't be to difficult to add.

@S7evinK S7evinK mentioned this issue Dec 15, 2023
Open
@S7evinK
Copy link
Contributor

S7evinK commented Dec 15, 2023

Closing this, glad it works now!

@S7evinK S7evinK closed this as completed Dec 15, 2023
This was referenced Nov 1, 2024
Closed
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@S7evinK @zbig-t