From e27ab5d6c3ae46615042e3b44587400790db30e4 Mon Sep 17 00:00:00 2001 From: Matt Gibson Date: Thu, 8 Jun 2023 08:41:36 -0500 Subject: [PATCH] Add nginx to known proxies (#3002) * Add nginx to known proxies * Only add nginx proxy if standard self host deployment * Style changes --- docker-unified/Dockerfile | 1 + src/Core/Settings/GlobalSettings.cs | 1 + src/Core/Settings/IGlobalSettings.cs | 2 ++ .../Utilities/ServiceCollectionExtensions.cs | 18 +++++++++++++++--- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/docker-unified/Dockerfile b/docker-unified/Dockerfile index 5f0a0ed8a..a01a3d397 100644 --- a/docker-unified/Dockerfile +++ b/docker-unified/Dockerfile @@ -194,6 +194,7 @@ ENV BW_ENABLE_SSO=false ENV BW_DB_FILE="/etc/bitwarden/vault.db" ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false ENV globalSettings__selfHosted="true" +ENV globalSettings__unifiedDeployment="true" ENV globalSettings__pushRelayBaseUri="https://push.bitwarden.com" ENV globalSettings__baseServiceUri__internalAdmin="http://localhost:5000" ENV globalSettings__baseServiceUri__internalApi="http://localhost:5001" diff --git a/src/Core/Settings/GlobalSettings.cs b/src/Core/Settings/GlobalSettings.cs index 758ee9e58..c2b7b4d45 100644 --- a/src/Core/Settings/GlobalSettings.cs +++ b/src/Core/Settings/GlobalSettings.cs @@ -17,6 +17,7 @@ public class GlobalSettings : IGlobalSettings } public bool SelfHosted { get; set; } + public bool UnifiedDeployment { get; set; } public virtual string KnownProxies { get; set; } public virtual string SiteName { get; set; } public virtual string ProjectName { get; set; } diff --git a/src/Core/Settings/IGlobalSettings.cs b/src/Core/Settings/IGlobalSettings.cs index 99860c340..42fc54ef8 100644 --- a/src/Core/Settings/IGlobalSettings.cs +++ b/src/Core/Settings/IGlobalSettings.cs @@ -6,6 +6,8 @@ public interface IGlobalSettings { // This interface exists for testing. Add settings here as needed for testing bool SelfHosted { get; set; } + bool UnifiedDeployment { get; set; } + string KnownProxies { get; set; } bool EnableCloudCommunication { get; set; } string LicenseDirectory { get; set; } string LicenseCertificatePassword { get; set; } diff --git a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs index 2a1bcbf92..679aaed1b 100644 --- a/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs +++ b/src/SharedWeb/Utilities/ServiceCollectionExtensions.cs @@ -1,4 +1,5 @@ -using System.Reflection; +using System.Net; +using System.Reflection; using System.Security.Claims; using System.Security.Cryptography.X509Certificates; using AspNetCoreRateLimit; @@ -529,18 +530,29 @@ public static class ServiceCollectionExtensions }); } - public static void UseForwardedHeaders(this IApplicationBuilder app, GlobalSettings globalSettings) + public static void UseForwardedHeaders(this IApplicationBuilder app, IGlobalSettings globalSettings) { var options = new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }; + + if (!globalSettings.UnifiedDeployment) + { + // Trust the X-Forwarded-Host header of the nginx docker container + var nginxIp = Dns.GetHostEntry("nginx").AddressList.FirstOrDefault(); + if (nginxIp != null) + { + options.KnownProxies.Add(nginxIp); + } + } + if (!string.IsNullOrWhiteSpace(globalSettings.KnownProxies)) { var proxies = globalSettings.KnownProxies.Split(','); foreach (var proxy in proxies) { - if (System.Net.IPAddress.TryParse(proxy.Trim(), out var ip)) + if (IPAddress.TryParse(proxy.Trim(), out var ip)) { options.KnownProxies.Add(ip); }