Add nginx to known proxies (#3002)

* Add nginx to known proxies * Only add nginx proxy if standard self host deployment * Style changes
3 years ago · e27ab5d6c3
4 changed files with 19 additions and 3 deletions
--- a/docker-unified/Dockerfile
+++ b/docker-unified/Dockerfile
@ -194,6 +194,7 @@ ENV BW_ENABLE_SSO=false
				@@ -194,6 +194,7 @@ ENV BW_ENABLE_SSO=false
 ENV BW_DB_FILE="/etc/bitwarden/vault.db"
 ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
 ENV globalSettings__selfHosted="true"
+ENV globalSettings__unifiedDeployment="true"
 ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com"
 ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000"
 ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001"
--- a/src/Core/Settings/GlobalSettings.cs
+++ b/src/Core/Settings/GlobalSettings.cs
@ -17,6 +17,7 @@ public class GlobalSettings : IGlobalSettings
				@@ -17,6 +17,7 @@ public class GlobalSettings : IGlobalSettings
    }

    public bool SelfHosted { get; set; }
+    public bool UnifiedDeployment { get; set; }
    public virtual string KnownProxies { get; set; }
    public virtual string SiteName { get; set; }
    public virtual string ProjectName { get; set; }
--- a/src/Core/Settings/IGlobalSettings.cs
+++ b/src/Core/Settings/IGlobalSettings.cs
@ -6,6 +6,8 @@ public interface IGlobalSettings
				@@ -6,6 +6,8 @@ public interface IGlobalSettings
 {
    // This interface exists for testing. Add settings here as needed for testing
    bool SelfHosted { get; set; }
+    bool UnifiedDeployment { get; set; }
+    string KnownProxies { get; set; }
    bool EnableCloudCommunication { get; set; }
    string LicenseDirectory { get; set; }
    string LicenseCertificatePassword { get; set; }
--- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
+++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs
@ -1,4 +1,5 @@
				@@ -1,4 +1,5 @@
-using System.Reflection;
+using System.Net;
+using System.Reflection;
 using System.Security.Claims;
 using System.Security.Cryptography.X509Certificates;
 using AspNetCoreRateLimit;
@ -529,18 +530,29 @@ public static class ServiceCollectionExtensions
				@@ -529,18 +530,29 @@ public static class ServiceCollectionExtensions
        });
    }

-    public static void UseForwardedHeaders(this IApplicationBuilder app, GlobalSettings globalSettings)
+    public static void UseForwardedHeaders(this IApplicationBuilder app, IGlobalSettings globalSettings)
    {
        var options = new ForwardedHeadersOptions
        {
            ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
        };
+
+        if (!globalSettings.UnifiedDeployment)
+        {
+            // Trust the X-Forwarded-Host header of the nginx docker container
+            var nginxIp = Dns.GetHostEntry("nginx").AddressList.FirstOrDefault();
+            if (nginxIp != null)
+            {
+                options.KnownProxies.Add(nginxIp);
+            }
+        }
+
        if (!string.IsNullOrWhiteSpace(globalSettings.KnownProxies))
        {
            var proxies = globalSettings.KnownProxies.Split(',');
            foreach (var proxy in proxies)
            {
-                if (System.Net.IPAddress.TryParse(proxy.Trim(), out var ip))
+                if (IPAddress.TryParse(proxy.Trim(), out var ip))
                {
                    options.KnownProxies.Add(ip);
                }