Switch from X-Real-IP to X-Forwarded-For in nginx.conf

[woliver99]

X-Forwarded-For is more commonly used across various proxies and load balancers, including Cloudflare, which does not use X-Real-IP.

This should fix #3582 #3267 #1358 #1230

[woliver99]

Just realized that we could make it a variable so that way people could change it to whatever they want. But I still believe we should make the default x-forwarded-for instead of x-real-ip

[cbenard]

I'm having to mount a custom nginx.conf to fix this. I would like this changed too.

[nginxproxymanagerci]

CI Error:

/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
certbot-node: Pulling from nginxproxymanager/nginx-full
Digest: sha256:eaa2ebcb50dd87557c9a8f95a3230128d94cac1ea17800261c036e59378e7d49
Status: Image is up to date for nginxproxymanager/nginx-full:certbot-node
docker.io/nginxproxymanager/nginx-full:certbot-node
�[1;34m❯ �[1;36mBuilding Frontend ...�[0m
yarn install v1.22.22
[1/4] Resolving packages...
[2/4] Fetching packages...
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
error Command failed.
Exit code: 128
Command: git
Arguments: clone https://github.com/tabler/tabler.git /usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309
Directory: /app/frontend
Output:
Cloning into '/usr/local/share/.cache/yarn/v6/.tmp/e11a93799a52aa978c82015e29fbe309'...
error: RPC failed; curl 92 HTTP/2 stream 5 was not closed cleanly: CANCEL (err 8)
error: 3204 bytes of body are still expected
fetch-pack: unexpected disconnect while reading sideband packet
fatal: early EOF
fatal: fetch-pack: invalid index-pack output

[jmarmstrong1207]

I believe X-Real-IP may be used instead of X-Forwarded-For if a non-trusted proxy spoofs the IP in X-Forwarded-For.

This is from my research when I had this issue with Cloudflare proxies making NPM output incorrect IP in the logs. Let me know if I'm wrong and X-Real-IP can actually be spoofed. It looks like nginx sets x-real-ip to $remote_addr, so it'd be the most trustworthy and why it's default

Therefore, I used CF-Connecting-IP (X-Forwarded-For equivalent) for my domains with CF's proxy enabled. For domains disabled, I leave it as-is because it will give the literal connecting IP address rather than what the provided header says

[jkbudde]

X-Forwarded-For will list all IPs for any proxy the request has been through and including the client IP address provided to the original proxy (Cloudflare or otherwise). This header is capable of being spoofed which is the importance of having the trusted IPs available to nginx through the set_real_ip_from header. There also is a proposed standard regarding the Forwarded HTTP Extension, see RFC 7239.

With Cloudflare, the source of truth is from the CF-Connecting-IP for domains with proxying enabled as noted by @jmarmstrong1207. For IPv6, the true IPv6 address will be in CF-Connecting-IPv6. I use CF-Connecting-IP unless I know the service/host is not proxied through Cloudflare.

An option in the user interface to list all trusted IPs (beyond those already sourced) and to set the real_ip_header. Creating a variable where it defaults to either X-Forwarded-For or X-Real-IP may be beneficial if the approach may include the option for customization by end users in the future. Of note, other service providers also have a similar header to Cloudflare, where having an option for directly customizing this would be beneficial in addition to sourcing Cloudflare and AWS known IPs.