x-forwarded-for HTTP header not (always) being honored

[matrixbot]

This issue was originally created by @zbig-t at https://github.com/matrix-org/dendrite/issues/3286.

Background information

• Dendrite version: 0.13.5
• Postgres
• Running in Docker in Swam mode
• Client used: Element

Description

I am running official Docker container image for the latest Dendrite 0.3.15 version in Docker Swarm cluster behind HAproxy. HAproxy is configured to properly set 'x-forwarded-for' (all-lowercase) HTTP header to indicate request's originator's true IP address. Due to peculiarities of how Docker stack works in Swarm mode (containers behind routing mesh and ingress) and also the whole thing being behind reverse proxy, TCP connections received by Dendrite appear to originate from local Docker cluster pool like 10.0.0.x. Due to all that, the 'x-forwarded-for' header, if present, should be relied upon for resolving client's IP. But Dendrite seems to be failing to do so at least in how it establishes user's session IPs as evidenced by the screenshot from Element.

Steps to reproduce

• Spin up Dendrite container as a single-replica Docker Swarm service
• Configure HAProxy in the front of the stack, making sure it passes the 'x-forwarded-for' header to the backend
• Open Element's "Sessions" screen and see how the IP are reported as being from 10.x.x.x network anyway.

[matrixbot]

This comment was originally posted by @S7evinK at https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1853741749.

Did you configure Dendrite to use the header? https://github.com/matrix-org/dendrite/blob/d65449c7822e89b506bf2caa7a098e38970f6f27/dendrite-sample.yaml#L284-L289

[matrixbot]

This comment was originally posted by @zbig-t at https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1853767516.

Indeed, I did not 😉 Thank you for your awesomely quick response. Setting real_ip_header to x-forwarded-for did the trick. I have missed this parameter as my config file (autogenerated as per docker install instructions) lacks the comments.

But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)

Best regards Zbig

[matrixbot]

This comment was originally posted by @S7evinK at https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1854336459.

Maybe worth a try and shouldn't be to difficult to add.

[matrixbot]

This comment was originally posted by @S7evinK at https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1858515299.

Closing this, glad it works now!