From 4db07f9aefbd2b93df8f8b5c5153183ea1539b32 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> Date: Wed, 3 Mar 2021 18:49:08 +0000 Subject: Set X-Forwarded-Proto header when frontend-proxy proxies a request (#9539) Should fix some remaining warnings --- changelog.d/9539.feature | 1 + synapse/app/generic_worker.py | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 changelog.d/9539.feature diff --git a/changelog.d/9539.feature b/changelog.d/9539.feature new file mode 100644 index 0000000000..06cfd5d199 --- /dev/null +++ b/changelog.d/9539.feature @@ -0,0 +1 @@ +Add support for `X-Forwarded-Proto` header when using a reverse proxy. diff --git a/synapse/app/generic_worker.py b/synapse/app/generic_worker.py index dc0d3eb725..274d582d07 100644 --- a/synapse/app/generic_worker.py +++ b/synapse/app/generic_worker.py @@ -23,6 +23,7 @@ from typing_extensions import ContextManager from twisted.internet import address from twisted.web.resource import IResource +from twisted.web.server import Request import synapse import synapse.events @@ -190,7 +191,7 @@ class KeyUploadServlet(RestServlet): self.http_client = hs.get_simple_http_client() self.main_uri = hs.config.worker_main_http_uri - async def on_POST(self, request, device_id): + async def on_POST(self, request: Request, device_id: Optional[str]): requester = await self.auth.get_user_by_req(request, allow_guest=True) user_id = requester.user.to_string() body = parse_json_object_from_request(request) @@ -223,10 +224,12 @@ class KeyUploadServlet(RestServlet): header: request.requestHeaders.getRawHeaders(header, []) for header in (b"Authorization", b"User-Agent") } - # Add the previous hop the the X-Forwarded-For header. + # Add the previous hop to the X-Forwarded-For header. x_forwarded_for = request.requestHeaders.getRawHeaders( b"X-Forwarded-For", [] ) + # we use request.client here, since we want the previous hop, not the + # original client (as returned by request.getClientAddress()). if isinstance(request.client, (address.IPv4Address, address.IPv6Address)): previous_host = request.client.host.encode("ascii") # If the header exists, add to the comma-separated list of the first @@ -239,6 +242,14 @@ class KeyUploadServlet(RestServlet): x_forwarded_for = [previous_host] headers[b"X-Forwarded-For"] = x_forwarded_for + # Replicate the original X-Forwarded-Proto header. Note that + # XForwardedForRequest overrides isSecure() to give us the original protocol + # used by the client, as opposed to the protocol used by our upstream proxy + # - which is what we want here. + headers[b"X-Forwarded-Proto"] = [ + b"https" if request.isSecure() else b"http" + ] + try: result = await self.http_client.post_json_get_json( self.main_uri + request.uri.decode("ascii"), body, headers=headers -- cgit 1.4.1