kegsay
commented
3 years ago It needs a toggle else clients can spoof their IP by setting X-Forwarded-For themselves even when the server isn't behind a reverse proxy. Agreed we need this though.
Closed yaliqmadiq closed 3 years ago
kegsay
commented
3 years ago It needs a toggle else clients can spoof their IP by setting X-Forwarded-For themselves even when the server isn't behind a reverse proxy. Agreed we need this though.
yaliqmadiq
commented
3 years ago This could be configured to be an administrator-supplied custom header, which the client would not know what it is.
kegsay
commented
3 years ago This will be done as a config option in dendrite.yaml
neilalexander
commented
3 years ago FYI the sync_api.real_ip_header configuration option was added in c636be5070b575a2b4e986e1fd7fc0ba24991907, so it's been around since November. You can specify the name of the header you want to use in this option.
Description:
Please read the X-Forwarded-For HTTP header, when dendrite is protected by a reverse proxy or Cloudflare, the session's true IP origin is expressed by this header.
Synapse has this as a feature in their conf, located at the port settings "x_forward". Not sure if a toggle is needed, but if the header is present and populated this is to mean the user's true IP address when behind a reverse proxy.