From 95f40047efe5bf9cf0d32315a2b95f04217f613a Mon Sep 17 00:00:00 2001 From: dosera Date: Fri, 16 Jul 2021 11:04:52 +0200 Subject: [PATCH] =?UTF-8?q?Extend=20the=20fail2ban=20instructions=20with?= =?UTF-8?q?=20a=20hint=20on=20how=20to=20make=20X-Real-IP=E2=80=A6=20(#164?= =?UTF-8?q?46)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers. This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately. See discussion in #16443 Co-authored-by: zeripath --- docs/content/doc/usage/fail2ban-setup.en-us.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/doc/usage/fail2ban-setup.en-us.md b/docs/content/doc/usage/fail2ban-setup.en-us.md index f96cf889a3..0821b23a9f 100644 --- a/docs/content/doc/usage/fail2ban-setup.en-us.md +++ b/docs/content/doc/usage/fail2ban-setup.en-us.md @@ -108,3 +108,12 @@ this to your Nginx configuration so that IPs don't show up as 127.0.0.1: ``` proxy_set_header X-Real-IP $remote_addr; ``` + +The security options in `app.ini` need to be adjusted to allow the interpretation of the headers +as well as the list of IP addresses and networks that describe trusted proxy servers +(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information). + +``` +REVERSE_PROXY_LIMIT = 1 +REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network +```