S7evinK
commented
9 months ago Change somewhere here (or in this file): https://github.com/matrix-org/dendrite/blob/d65449c7822e89b506bf2caa7a098e38970f6f27/syncapi/sync/requestpool.go#L176-L204
Open S7evinK opened 9 months ago
S7evinK
commented
9 months ago Change somewhere here (or in this file): https://github.com/matrix-org/dendrite/blob/d65449c7822e89b506bf2caa7a098e38970f6f27/syncapi/sync/requestpool.go#L176-L204
zbig-t
commented
9 months ago Thanks, I think (hope) that's not beyond my abilities. Will create a PR once I mange to take care of that.
Curious-r
commented
9 months ago I think it's necessary.
Now I'm use X-Forwarded-For instead of X-Real-ip, because the former exists in a lot of reverse proxies as a standard header。
bones-was-here
commented
9 months ago None of these headers are safe to trust in the default configuration, unless Dendrite will never use the information for anything important.
To be trustworthy the IP header must be set by a trusted reverse proxy that also discards any (potentially spoofed) information it receives in these headers. The various proxy implementations have different default behaviours, might not be using their defaults, or the admin might not be using a proxy at all.
...
But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)
Best regards Zbig
Originally posted by @zbig-t in https://github.com/matrix-org/dendrite/issues/3286#issuecomment-1853767516