From 003b3f2c1247cff95f8fbde1268ad3fd6ad6181f Mon Sep 17 00:00:00 2001 From: Disassembler Date: Fri, 2 Feb 2018 21:04:12 +0100 Subject: [PATCH] Extend X-Forwarded headers to avoid bogus URLs on double-proxied apps --- kanboard/docker/etc/nginx/nginx.conf | 7 ++++++- kanboard/etc/nginx/conf.d/kanboard.conf | 3 +++ seeddms/docker/etc/nginx/nginx.conf | 7 ++++++- seeddms/etc/nginx/conf.d/seeddms.conf | 3 +++ ushahidi/docker/etc/nginx/nginx.conf | 7 ++++++- ushahidi/etc/nginx/conf.d/ushahidi.conf | 3 +++ 6 files changed, 27 insertions(+), 3 deletions(-) diff --git a/kanboard/docker/etc/nginx/nginx.conf b/kanboard/docker/etc/nginx/nginx.conf index 6475b12..82d694e 100644 --- a/kanboard/docker/etc/nginx/nginx.conf +++ b/kanboard/docker/etc/nginx/nginx.conf @@ -33,9 +33,14 @@ http { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/kanboard.sock; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_index index.php; include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param HTTP_HOST $http_x_forwarded_host if_not_empty; + fastcgi_param HTTPS $http_x_forwarded_https if_not_empty; + fastcgi_param REQUEST_SCHEME $http_x_forwarded_proto if_not_empty; + fastcgi_param SERVER_NAME $http_x_forwarded_server_name if_not_empty; + fastcgi_param SERVER_PORT $http_x_forwarded_server_port if_not_empty; } location ~* ^.+\.(log|sqlite)$ { diff --git a/kanboard/etc/nginx/conf.d/kanboard.conf b/kanboard/etc/nginx/conf.d/kanboard.conf index e2c4b3a..f5d51d5 100644 --- a/kanboard/etc/nginx/conf.d/kanboard.conf +++ b/kanboard/etc/nginx/conf.d/kanboard.conf @@ -9,6 +9,9 @@ server { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-HTTPS $https; + proxy_set_header X-Forwarded-Server-Name $host; + proxy_set_header X-Forwarded-Server-Port $server_port; proxy_pass http://127.0.0.1:8009; } } diff --git a/seeddms/docker/etc/nginx/nginx.conf b/seeddms/docker/etc/nginx/nginx.conf index 6fa6d78..ea48df2 100644 --- a/seeddms/docker/etc/nginx/nginx.conf +++ b/seeddms/docker/etc/nginx/nginx.conf @@ -31,9 +31,14 @@ http { location ~ \.php$ { fastcgi_pass unix:/var/run/seeddms.sock; - fastcgi_param SCRIPT_FILENAME $request_filename; fastcgi_index index.php; include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $request_filename; + fastcgi_param HTTP_HOST $http_x_forwarded_host if_not_empty; + fastcgi_param HTTPS $http_x_forwarded_https if_not_empty; + fastcgi_param REQUEST_SCHEME $http_x_forwarded_proto if_not_empty; + fastcgi_param SERVER_NAME $http_x_forwarded_server_name if_not_empty; + fastcgi_param SERVER_PORT $http_x_forwarded_server_port if_not_empty; } } } diff --git a/seeddms/etc/nginx/conf.d/seeddms.conf b/seeddms/etc/nginx/conf.d/seeddms.conf index 27112f8..4496e13 100644 --- a/seeddms/etc/nginx/conf.d/seeddms.conf +++ b/seeddms/etc/nginx/conf.d/seeddms.conf @@ -9,6 +9,9 @@ server { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-HTTPS $https; + proxy_set_header X-Forwarded-Server-Name $host; + proxy_set_header X-Forwarded-Server-Port $server_port; proxy_pass http://127.0.0.1:8010; } } diff --git a/ushahidi/docker/etc/nginx/nginx.conf b/ushahidi/docker/etc/nginx/nginx.conf index f13b742..e9a2a54 100644 --- a/ushahidi/docker/etc/nginx/nginx.conf +++ b/ushahidi/docker/etc/nginx/nginx.conf @@ -30,13 +30,18 @@ http { } location /platform { + fastcgi_pass unix:/var/run/ushahidi.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/platform/httpdocs/index.php; fastcgi_split_path_info ^(/platform/)(.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; - fastcgi_pass unix:/var/run/ushahidi.sock; + fastcgi_param HTTP_HOST $http_x_forwarded_host if_not_empty; + fastcgi_param HTTPS $http_x_forwarded_https if_not_empty; + fastcgi_param REQUEST_SCHEME $http_x_forwarded_proto if_not_empty; + fastcgi_param SERVER_NAME $http_x_forwarded_server_name if_not_empty; + fastcgi_param SERVER_PORT $http_x_forwarded_server_port if_not_empty; } } } diff --git a/ushahidi/etc/nginx/conf.d/ushahidi.conf b/ushahidi/etc/nginx/conf.d/ushahidi.conf index 652cc53..3c88ecc 100644 --- a/ushahidi/etc/nginx/conf.d/ushahidi.conf +++ b/ushahidi/etc/nginx/conf.d/ushahidi.conf @@ -9,6 +9,9 @@ server { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-HTTPS $https; + proxy_set_header X-Forwarded-Server-Name $host; + proxy_set_header X-Forwarded-Server-Port $server_port; proxy_pass http://127.0.0.1:8014; } }