[network] Fix handling of forwarded headers

This fixes several issues where services would see the internal IP of
the proxy and not that of the client.

It works by first unsetting any proxy-related headers that arrive from
the internet, then setting those as seen by HAProxy's entrypoint
frontend.
And finally making sure that neither WAF when enabled nor other
HAProxy backends touch these headers, while they are actually used by
the final services.

Services affected:	Netcloud, Keycloak, Moodle
GON-3874-DD-moodle
Evilham 2022-12-02 06:49:56 +01:00
parent ba3b4ba46f
commit 8f5de8af6a
No known key found for this signature in database
GPG Key ID: AE3EE30D970886BF
7 changed files with 120 additions and 41 deletions

View File

@ -9,6 +9,7 @@ COPY 02-configure-moodle.sh /docker-entrypoint-init.d/
COPY 03-plugins.sh /docker-entrypoint-init.d/ COPY 03-plugins.sh /docker-entrypoint-init.d/
COPY src/rootfs/var/www/html/admin/cli/isinstalled.php / COPY src/rootfs/var/www/html/admin/cli/isinstalled.php /
COPY is_moodle_ready.sh / COPY is_moodle_ready.sh /
COPY nginx.conf /etc/nginx/
RUN echo "user=nobody" >> /etc/php7/php-fpm.d/www.conf RUN echo "user=nobody" >> /etc/php7/php-fpm.d/www.conf
RUN echo "group=nobody" >> /etc/php7/php-fpm.d/www.conf RUN echo "group=nobody" >> /etc/php7/php-fpm.d/www.conf
RUN apk add --no-cache dcron libcap && \ RUN apk add --no-cache dcron libcap && \

View File

@ -3,3 +3,4 @@
02-configure-moodle.sh MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/docker-entrypoint-init.d/02-configure-moodle.sh 02-configure-moodle.sh MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/docker-entrypoint-init.d/02-configure-moodle.sh
Dockerfile MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/Dockerfile Dockerfile MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/Dockerfile
moodle.yml MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/docker-compose.yml moodle.yml MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/docker-compose.yml
nginx.conf MIT https://github.com/erseco/ https://raw.githubusercontent.com/erseco/alpine-moodle/63b8b80d333eaec1cdffa2e768a364e973d6c1ee/rootfs/etc/nginx/nginx.conf

View File

@ -0,0 +1,108 @@
worker_processes 1;
error_log stderr warn;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Define custom log format to include reponse times
log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'$request_time $upstream_response_time $pipe $upstream_cache_status';
access_log /dev/stdout main_timed;
error_log /dev/stderr notice;
keepalive_timeout 65;
# Write temporary files to /tmp so they can be created as a non-privileged user
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
uwsgi_temp_path /tmp/uwsgi_temp;
scgi_temp_path /tmp/scgi_temp;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
# Default server definition
server {
listen 8080 default_server;
server_name _;
sendfile off;
# Increase proxy buffers for large requests
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Upload limit
client_max_body_size 200M;
client_body_buffer_size 128k;
root /var/www/html;
index index.php index.html;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.php
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# Redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
# Pass the PHP scripts to PHP-FPM listening on 127.0.0.1:9000
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_index index.php;
include fastcgi_params;
}
location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
expires 5d;
}
# Deny access to . files, for security
location ~ /\. {
log_not_found off;
deny all;
}
# Allow fpm ping and status from localhost
location ~ ^/(fpm-status|fpm-ping)$ {
access_log off;
allow 127.0.0.1;
deny all;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
}
# Include other server configs
include /etc/nginx/conf.d/*.conf;
gzip on;
gzip_proxied any;
gzip_types text/plain application/xml text/css text/js text/xml application/x-javascript text/javascript application/json application/xml+rss;
gzip_vary on;
gzip_disable "msie6";
}

View File

@ -25,7 +25,7 @@ http {
set_real_ip_from 10.0.0.0/8; set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12; set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16; set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP; real_ip_header X-Forwarded-For;
upstream php-handler { upstream php-handler {
server dd-apps-nextcloud-app:9000; server dd-apps-nextcloud-app:9000;
} }

View File

@ -7,10 +7,6 @@ backend letsencrypt
backend be_api backend be_api
mode http mode http
http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ } http-request set-path /img/favicon.ico if { path_end -i favicon.ico } or { path_end -i favicon } or { path_beg -i /apps/theming/favicon/ }
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
# Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128 # Nextcloud use /avatar/username/32 /avatar/username/64 and /avatar/username/128
http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")] http-request set-path %[path,regsub(\"^(/avatar/[^/]+).*\",\"\1\")]
server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none server api dd-sso-api:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
@ -18,74 +14,40 @@ backend be_api
backend be_sso backend be_sso
mode http mode http
option httpclose option httpclose
option forwardfor
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure; http-response replace-header Set-Cookie (KEYCLOAK_LOCALE=[^;]*);(.*) \1;Domain="${DOMAIN}";Version=1;Path=/;Secure;
server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none server keycloak dd-sso-keycloak:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_admin backend be_admin
mode http mode http
option forwardfor
timeout queue 600s timeout queue 600s
timeout server 600s timeout server 600s
timeout connect 600s timeout connect 600s
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none server dd-sso-admin dd-sso-admin:9000 check port 9000 inter 5s rise 2 fall 10 resolvers mydns init-addr none
## APPS ## APPS
backend be_moodle backend be_moodle
mode http mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_moodle_long backend be_moodle_long
mode http mode http
timeout server 900s timeout server 900s
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none server moodle dd-apps-moodle:8080 check port 8080 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_nextcloud backend be_nextcloud
mode http mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none server nextcloud dd-apps-nextcloud-nginx:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_etherpad backend be_etherpad
mode http mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none server etherpad dd-apps-etherpad:9001 check port 9001 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_oof backend be_oof
mode http mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none server onlyoffice dd-apps-onlyoffice:80 check port 80 inter 5s rise 2 fall 10 resolvers mydns init-addr none
backend be_wp backend be_wp
mode http mode http
acl existing-x-forwarded-host req.hdr(X-Forwarded-Host) -m found
acl existing-x-forwarded-proto req.hdr(X-Forwarded-Proto) -m found
http-request add-header X-Forwarded-Host %[req.hdr(Host)] unless existing-x-forwarded-host
http-request add-header X-Forwarded-Proto https unless existing-x-forwarded-proto
http-request set-header X-SSL %[ssl_fc] http-request set-header X-SSL %[ssl_fc]
http-request set-header X-Forwarded-Proto https http-request set-header X-Forwarded-Proto https

View File

@ -7,6 +7,11 @@
http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt } http-request set-header ssl_client_cert -----BEGIN\ CERTIFICATE-----\ %[ssl_c_der,base64]\ -----END\ CERTIFICATE-----\ if { ssl_fc_has_crt }
bind :443 ssl crt /certs/chain.pem bind :443 ssl crt /certs/chain.pem
# This comes from the internet, do not trust the forwarding headers
http-request del-header X-Forwarded-For
http-request del-header X-Forwarded-Proto
# But add our forwarding headers instead
option forwardfor
# New line to test URI to see if its a letsencrypt request # New line to test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/ acl letsencrypt-acl path_beg /.well-known/acme-challenge/

View File

@ -9,6 +9,8 @@
ProxyPreserveHost On ProxyPreserveHost On
ProxyRequests off ProxyRequests off
ProxyVia Off ProxyVia Off
# Do not touch the proxy headers, these are set by HAProxy before
ProxyAddHeaders off
ProxyPass "/" "http://dd-sso-haproxy:81/" ProxyPass "/" "http://dd-sso-haproxy:81/"
ProxyPassReverse "/" "http://dd-sso-haproxy:81/" ProxyPassReverse "/" "http://dd-sso-haproxy:81/"
</VirtualHost> </VirtualHost>