Closed yaliqmadiq closed 3 years ago
It needs a toggle else clients can spoof their IP by setting X-Forwarded-For
themselves even when the server isn't behind a reverse proxy. Agreed we need this though.
This could be configured to be an administrator-supplied custom header, which the client would not know what it is.
This will be done as a config option in dendrite.yaml
FYI the sync_api.real_ip_header
configuration option was added in c636be5070b575a2b4e986e1fd7fc0ba24991907, so it's been around since November. You can specify the name of the header you want to use in this option.
Description:
Please read the X-Forwarded-For HTTP header, when dendrite is protected by a reverse proxy or Cloudflare, the session's true IP origin is expressed by this header.
Synapse has this as a feature in their conf, located at the port settings "x_forward". Not sure if a toggle is needed, but if the header is present and populated this is to mean the user's true IP address when behind a reverse proxy.