mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-28 08:03:36 +00:00
c6bccaaac0
Newer versions of Django axes have newly way to get the IP address of a client using ipware library. This has multiple security issues https://github.com/jazzband/django-axes/issues/286 . Workaround them by controlling the X-FORWARDED-FOR header sent from Apache to FreedomBox and by limiting the headers that ipware uses. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
23 lines
886 B
Plaintext
23 lines
886 B
Plaintext
##
|
|
## On all sites, provide Plinth on a default path: /plinth
|
|
##
|
|
## Requires the following Apache modules to be enabled:
|
|
## mod_headers
|
|
## mod_proxy
|
|
## mod_proxy_http
|
|
##
|
|
<Location /plinth>
|
|
ProxyPass http://127.0.0.1:8000/plinth
|
|
## Send the scheme from user's request to enable Plinth to redirect
|
|
## URLs, set cookies, set absolute URLs (if any) properly.
|
|
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
|
|
|
|
## Ignore any X-FORWARDED-FOR headers sent by the client and their
|
|
## proxies. Apache will still set this header with the remote
|
|
## address of the client. Apache is the first and only trusted entry
|
|
## point for FreedomBox. Any code that does not deal with this
|
|
## header properly will remain safe. For example:
|
|
## https://github.com/jazzband/django-axes/issues/286
|
|
RequestHeader unset X-Forwarded-For
|
|
</Location>
|