feat(auth): SA3 — trusted-proxy X-Forwarded-For for rate limiting
_client_ip trusted the first X-Forwarded-For hop unconditionally, so anyone able to reach the app port could forge XFF and dodge the login/register/reset/demo rate limits. Now trust XFF ONLY when the request's socket peer is a configured reverse proxy (settings.trusted_proxy_ips, e.g. the VPS Caddy's WireGuard peer IP), and take the RIGHTMOST entry — the client our proxy actually saw and appended, immune to a client pre-seeding a fake XFF. A request from any other peer (hitting the port directly) is keyed on its real socket IP, so XFF can't be forged to bypass the limits. New TRUSTED_PROXY_IPS env (empty default = no proxy, use the direct peer). Documented in .env.example, docs/self-hosting.md, README. Unit-verified against spoof-through-proxy and direct-bypass cases.
This commit is contained in:
parent
2eca56d68a
commit
7297dbd2a8
5 changed files with 52 additions and 7 deletions
|
|
@ -79,6 +79,21 @@ public access, put a reverse proxy (Caddy, Nginx, Traefik…) in front to termin
|
|||
secure). If you've already run the installer, edit `OAUTH_REDIRECT_URL` in `.env` to the https
|
||||
callback URL and `docker compose -f docker-compose.selfhost.yml up -d`.
|
||||
|
||||
**Behind a proxy, set `TRUSTED_PROXY_IPS`.** The login / registration / password-reset rate limiters
|
||||
identify callers by IP. Behind a proxy every request arrives from the proxy, so without this the
|
||||
limits would apply to everyone together. Set `TRUSTED_PROXY_IPS` in `.env` to the address your proxy
|
||||
connects to the app *from* (as the app sees it — e.g. its Docker/host/LAN IP, **not** the public
|
||||
client address), and the app will read the real client IP from the proxy's `X-Forwarded-For` header:
|
||||
|
||||
```bash
|
||||
TRUSTED_PROXY_IPS=172.18.0.1 # comma-separate multiple proxies
|
||||
```
|
||||
|
||||
Only that peer is trusted, so a request sent straight to port `8080` (bypassing the proxy) can't forge
|
||||
`X-Forwarded-For` to dodge the limits — it's rate-limited by its real address. Leave it empty if the
|
||||
app is exposed directly with no proxy. Make sure your proxy actually sets `X-Forwarded-For` (Caddy's
|
||||
`reverse_proxy` and Nginx's `proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for` both do).
|
||||
|
||||
## Download Center (media storage)
|
||||
|
||||
The stack includes a **Download Center**: an admin-enabled feature that saves videos to the server
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue