docker-jitsi-meet icon indicating copy to clipboard operation
docker-jitsi-meet copied to clipboard

Published 20 hours ago verified publisher icon jitsi

Prosody configuration does not set trusted proxies directive

Open millaguie opened this issue 4 years ago • 11 comments

According to Prosody documentation trusted reverse proxies has to be set in order to be able to know the real IP address of a client. This is preventing the log_auth module to show the real IP address of the client as it always shows the IP address of the web server (who is acting as a proxy).

There is no easy way to solve this issue, as it depends on the IP address of another container, a workaround is to set a depends_on tag on the prosody container forcing it to start after the web service, and change the configuration script to resolve the web server and set that IP (or IPs) in trusted_proxies. Another option is patch the prosody http_module to accept CIDRs (currently it only accept a list of IP address) and set the docker CIDR as trusted.

Has somebody else face this problem?

Thanks!

millaguie avatar May 07 '21 12:05 millaguie

Good point. I wonder if setting the trusted proxy to "*" would work.

saghul avatar May 07 '21 13:05 saghul

Good point. I wonder if setting the trusted proxy to "*" would work.

This would allow users to bypass the rate limiting we have in prosody (I'm not sure it's currently used with docker). Can we pin down the address of the nginx container to a smaller network, e.g. 192.168.0.0/16?

bgrozev avatar May 07 '21 18:05 bgrozev

In this setup clients never connect directly to prosody, it always goes through the web container.

Does your concern still apply in this scenario @bgrozev ?

saghul avatar May 07 '21 20:05 saghul

@saghul yes, a client could just include the header in the original request, and prosody will trust it.

@millaguie I just remembered we added support for CIDR to prosody for just this reason. I don't know if it's made it to 0.11 or the version used here though.

bgrozev avatar May 07 '21 21:05 bgrozev

@saghul yes, a client could just include the header in the original request, and prosody will trust it.

We'd set that header ourselves when proxying inwards, of course.

saghul avatar May 07 '21 22:05 saghul

We'd set that header ourselves when proxying inwards, of course.

Most proxies are configured to append to it

bgrozev avatar May 10 '21 16:05 bgrozev

I'm a bit confused :-) This setup has Nginx in front of Prosody. Prosody is not exposed directly, ever. If we set this header in Nginx and configure Prosody to trust anything, do you still have concerns?

saghul avatar May 10 '21 17:05 saghul

No, unless there are other proxies in front. If there are, prosody will detect their address as the client address, and someone could easily get the address rate limited.

bgrozev avatar May 10 '21 19:05 bgrozev

Gotcha.

saghul avatar May 10 '21 19:05 saghul

Hi,

Thanks @bgrozev!

@millaguie I just remembered we added support for CIDR to prosody for just this reason. I don't know if it's made it to 0.11 or the version used here though.

Yes, I think this is the proper way, but that code is not in 0.11.x only in trunk :(

millaguie avatar May 12 '21 08:05 millaguie

Yes, I think this is the proper way, but that code is not in 0.11.x only in trunk :(

Ah, that's unfortunate. Once it lands in a release, holler and we'll update and make it configurable.

saghul avatar May 12 '21 09:05 saghul