search

matrix-org / dendrite

Dendrite is a second-generation Matrix homeserver written in Go!
https://matrix-org.github.io/dendrite/
Apache License 2.0
5.67k stars 664 forks source link

real_ip_header setting ignored #1964

Closed 0x1a8510f2 closed 3 years ago

0x1a8510f2 commented 3 years ago

Background information

Description

The real_ip_header setting in dendrite.yaml appears to have no effect, see Element Web screenshot below:

image

This happens despite the following Dendrite configuration:

sync_api:
  # This option controls which HTTP header to inspect to find the real remote IP
  # address of the client. This is likely required if Dendrite is running behind
  # a reverse proxy server.
  real_ip_header: X-Real-IP

and the following (relevant) webserver (Caddy) configuration:

matrix2.0x1a8510f2.space {
        # Reverse proxy /_matrix/* to Matrix server
        reverse_proxy /_matrix/* {
                to http://dendrite:8008
                header_up Host {http.reverse_proxy.upstream.hostport}
                header_up X-Real-IP {http.reverse_proxy.upstream.ip}
        }
}

Worth noting is that the same config works fine for Synapse.

neilalexander commented 3 years ago

Does your reverse proxy have a means of logging exactly what the X-Real-IP value is that it's sending to Dendrite? All we do is split by commas (if there are any) and take the first value, nothing else. I am using this with X-Forwarded-For on my own Dendrite installation with nginx and it is working fine.

0x1a8510f2 commented 3 years ago

@neilalexander not that I know of but, if required I can temporarily have it send requests to a netcat listener for debugging. However, I've tried changing* the header to X-Forwarded-For and that worked. That makes me wonder if perhaps the issue is related to how these headers behave differently? X-Forwarded-For is supposed to be a list while X-Real-IP is only supposed to be a single address.

* On the Caddy side I simply removed the X-Real-IP header because X-Forwarded-For is sent implicitly.

neilalexander commented 3 years ago

Tested this with my own Dendrite, using the following nginx directive:

proxy_set_header X-Real-IP  $remote_addr;

... and setting the header to X-Real-IP in dendrite.yaml:

real_ip_header: X-Real-IP

The remote address is shown properly, as expected, so I am not sure there's a problem in Dendrite here.

0x1a8510f2 commented 3 years ago

Interesting. I can't identify any issues with my config, but seeing as nobody else reported that issue, and I can work around it by using X-Forwarded-For, I think it's fair to assume it's just something with my setup and close the issue. Thanks for looking into it though!