Merge #3317 #3318

3317: define client_ip variable (backport #3315) r=mergify[bot] a=mergify[bot] ## What type of PR? bug-fix ## What does this PR do? ### Related issue(s) closes #3314 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. <hr>This is an automatic backport of pull request #3315 done by [Mergify](https://mergify.com). 3318: nginx should recursively set the realip until the first no trusted ad… (backport #3313) r=mergify[bot] a=mergify[bot] ## What type of PR? bug-fix ## What does this PR do? ### Related issue(s) closes https://github.com/Mailu/Mailu/issues/3311 ## Prerequisites Before we can consider review and merge, please make sure the following list is done and checked. If an entry in not applicable, you can check it or remove it from the list. - [x] In case of feature or enhancement: documentation updated accordingly - [x] Unless it's docs or a minor change: add [changelog](https://mailu.io/master/contributors/workflow.html#changelog) entry file. <hr>This is an automatic backport of pull request #3313 done by [Mergify](https://mergify.com). Co-authored-by: Dominik Hebeler <dominik@suma-ev.de>
2024-12-14 10:53:30 +02:00 · 2024-06-26 11:38:07 +00:00 · 2024-06-26 11:38:07 +00:00 · 8bd5d0f23d
commit 8bd5d0f23d
parent 0d2630c47b bca4fdffdb 33516af243
4 changed files with 6 additions and 1 deletions
--- a/core/admin/mailu/sso/views/base.py
+++ b/core/admin/mailu/sso/views/base.py
@ -130,6 +130,7 @@ https://mailu.io/master/configuration.html#header-authentication-using-an-extern
 def _proxy():
    proxy_ip = flask.request.headers.get('X-Forwarded-By', flask.request.remote_addr)
    ip = ipaddress.ip_address(proxy_ip)
+    client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
    if not any(ip in cidr for cidr in app.config['PROXY_AUTH_WHITELIST']):
        flask.current_app.logger.error(f'Login failed by proxy - not on whitelist: from {client_ip} through {flask.request.remote_addr}.')
        return flask.abort(500, '%s is not on PROXY_AUTH_WHITELIST' % proxy_ip)
--- a/core/nginx/conf/nginx.conf
+++ b/core/nginx/conf/nginx.conf
@ -26,7 +26,9 @@ http {
    real_ip_header proxy_protocol;
    {% endif %}

-    {% if REAL_IP_FROM %}{% for from_ip in REAL_IP_FROM.split(',') %}
+    {% if REAL_IP_FROM %}
+    real_ip_recursive on;
+    {% for from_ip in REAL_IP_FROM.split(',') %}
    set_real_ip_from {{ from_ip }};
    {% endfor %}{% endif %}

--- a/towncrier/newsfragments/3311.bugfix
+++ b/towncrier/newsfragments/3311.bugfix
@ -0,0 +1 @@
+Enable nginx setting `real_ip_recursive` to recursively replace real user ip
--- a/towncrier/newsfragments/3314.bugfix
+++ b/towncrier/newsfragments/3314.bugfix
@ -0,0 +1 @@
+Define client_ip variable in _proxy method. Fixes server error when using proxy authentication
				`@ -0,0 +1 @@`
				Enable nginx setting `real_ip_recursive` to recursively replace real user ip
				`@ -0,0 +1 @@`
				`Define client_ip variable in _proxy method. Fixes server error when using proxy authentication`