From bf6efe532c8f2de84e95b090911280a9b1b61ce8 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Mon, 13 Aug 2018 16:30:27 +0200
Subject: Added trusted proxies

---
 contrib/Dockerfile       |  6 ++++++
 contrib/nginx/nginx.conf | 43 +++++++++++++++++++++++++------------------
 2 files changed, 31 insertions(+), 18 deletions(-)

(limited to 'contrib')

diff --git a/contrib/Dockerfile b/contrib/Dockerfile
index 8d5fb47b..9b218cf8 100644
--- a/contrib/Dockerfile
+++ b/contrib/Dockerfile
@@ -33,3 +33,9 @@ FROM php:7-fpm-alpine
 COPY --from=data /app/ /var/www
 RUN apk add --no-cache icu-dev gettext-dev && \
     docker-php-ext-install intl gettext pdo_mysql
+
+ENV TRUSTED_PROXIES 10.0.0.0/8,::ffff:10.0.0.0/8,\
+                    127.0.0.0/8,::ffff:127.0.0.0/8,\
+                    172.16.0.0/12,::ffff:172.16.0.0/12,\
+                    192.168.0.0/16,::ffff:192.168.0.0/16,\
+                    ::1/128,fc00::/7,fec0::/10
diff --git a/contrib/nginx/nginx.conf b/contrib/nginx/nginx.conf
index bbaf5824..96e4688f 100644
--- a/contrib/nginx/nginx.conf
+++ b/contrib/nginx/nginx.conf
@@ -1,35 +1,42 @@
 error_log stderr;
+
 events {
   worker_connections 1024;
 }
+
 http {
   client_body_temp_path /tmp/client_body_temp;
-  fastcgi_temp_path /tmp/fastcgi_temp;
-  proxy_temp_path /tmp/proxy_temp;
-  scgi_temp_path /tmp/scgi_temp;
-  uwsgi_temp_path /tmp/uwsgi_temp;
-  
+  fastcgi_temp_path     /tmp/fastcgi_temp;
+  proxy_temp_path       /tmp/proxy_temp;
+  scgi_temp_path        /tmp/scgi_temp;
+  uwsgi_temp_path       /tmp/uwsgi_temp;
+
+  map $http_x_forwarded_proto $forwarded_proto {
+    default $http_x_forwarded_proto;
+    https   https;
+  }
+
   server {
-    include mime.types;
-    access_log off;
-    listen [::]:80 ipv6only=off;
-    proxy_redirect off;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    index index.php;
-    root /var/www/html;
-    
+    include     mime.types;
+    access_log  off;
+    listen      [::]:80 ipv6only=off;
+    proxy_redirect      off;
+    proxy_set_header    Host                $host;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+    proxy_set_header    X-Forwarded-Proto   $forwarded_proto;
+    index   index.php;
+    root    /var/www/html;
+
     location / {
       try_files $uri $uri/ /index.php?$args;
     }
 
     location ~ \.php$ {
-      fastcgi_pass engelsystem:9000;
+      fastcgi_pass  engelsystem:9000;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-      fastcgi_param HTTPS on;
-      include fastcgi_params;
+      include       fastcgi_params;
     }
   }
 }
-- 
cgit v1.2.3-54-g00ecf