From 912f79f1af1535d32dfa4ab463c0d6efac3a4ae9 Mon Sep 17 00:00:00 2001 From: DynamoFox Date: Thu, 4 Aug 2022 00:19:54 +0200 Subject: [PATCH] Add optional support to trust reverse proxies (via X-Forwarded-For) --- config-sample.ini | 6 ++++++ src/www | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/config-sample.ini b/config-sample.ini index 393a124f3..0e8da0360 100644 --- a/config-sample.ini +++ b/config-sample.ini @@ -21,3 +21,9 @@ https=false # path to certificate (run "bash bin/generate-cert.sh" to generate self-signed certificate). Relevant only if https=true certPath= keyPath= +# setting to give trust to reverse proxies, a comma-separated list of trusted rev. proxy IPs can be specified (CIDR notation is permitted), +# alternatively 'true' will make use of the leftmost IP in X-Forwarded-For, ultimately an integer can be used to tell about the number of hops between +# Trilium (which is hop 0) and the first trusted rev. proxy. +# once set, expressjs will use the X-Forwarded-For header set by the rev. proxy to determinate the real IPs of clients. +# expressjs shortcuts are supported: loopback(127.0.0.1/8, ::1/128), linklocal(169.254.0.0/16, fe80::/10), uniquelocal(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7) +trustedReverseProxy=false diff --git a/src/www b/src/www index 637ca925d..c17ae0412 100644 --- a/src/www +++ b/src/www @@ -44,6 +44,14 @@ async function startTrilium() { app.set('port', usedPort); app.set('host', usedHost); + // Check from config whether to trust reverse proxies to supply user IPs, hostnames and protocols + if (config['Network']['trustedReverseProxy']) { + if (config['Network']['trustedReverseProxy'] === true || config['Network']['trustedReverseProxy'].trim().length) { + app.set('trust proxy', config['Network']['trustedReverseProxy']) + } + } + log.info('Trusted reverse proxy: ' + app.get('trust proxy')) + if (config['Network']['https']) { if (!config['Network']['keyPath'] || !config['Network']['keyPath'].trim().length) { throw new Error("keyPath in config.ini is required when https=true, but it's empty");