From d28691ceed48feb0190802797bb76d42b0c46ea3 Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Fri, 3 Jan 2025 23:50:40 -0700
Subject: [PATCH] Fix X-Forwarded-For

Signed-off-by: Tommy <contact@tommytran.io>
---
 etc/nginx/snippets/proxy.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/etc/nginx/snippets/proxy.conf b/etc/nginx/snippets/proxy.conf
index 379d5e2..90eaf34 100644
--- a/etc/nginx/snippets/proxy.conf
+++ b/etc/nginx/snippets/proxy.conf
@@ -18,7 +18,13 @@ proxy_set_header   Upgrade $http_upgrade;
 proxy_set_header   Connection "upgrade";
 
 # Enable X-Forwarded headers
-proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+## Using $proxy_add_x_forwarded_for will append the $remote_addr to the end of the the IP lists
+## If some clients sends a fake X-Forwarded-For, and the upstream server does not parses this
+## correctly, it could result in security issues.
+## We are not behind a reverse proxy, so just set it to $remote_addr should be good enough.
+proxy_set_header X-Forwarded-For $remote_addr;
+
 proxy_set_header X-Forwarded-Host $host;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header X-Forwarded-Ssl on;
@@ -36,4 +42,4 @@ proxy_set_header X-Original-URI "";
 
 # Potentially dangerous: https://github.com/oauth2-proxy/oauth2-proxy/issues/735
 proxy_set_header X-Original-Method "";
-proxy_set_header X-Forwarded-Method "";
\ No newline at end of file
+proxy_set_header X-Forwarded-Method "";