mirror/aliasvault
1
0
Fork 0
mirror of https://github.com/aliasvault/aliasvault.git synced 2026-05-09 15:56:11 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add trusted_proxies env var to control nginx x-forwarded-for behaviour (#1982)

Browse Source
This commit is contained in:
Leendert de Borst
2026-05-01 14:15:05 +02:00
committed by Leendert de Borst
parent 04968032fd
commit c9eaf2d807
11 changed files with 379 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/installation/script/advanced/admin-access.md
View File

@@ -13,7 +13,7 @@ By default the admin panel at `/admin` is reachable from the public internet, al
- Sign-in requires the admin password you set during installation (and optional 2FA).
- The admin account is protected against brute force: after 10 failed sign-in attempts the account is locked for 30 minutes.
If you'd still rather not expose `/admin` to the open internet for example if your AliasVault server is only meant to be reached from a home network or VPN you can restrict it by client IP at the reverse-proxy layer.
If you'd still rather not expose `/admin` to the open internet, for example if your AliasVault server is only meant to be reached from a home network or VPN, you can restrict it by client IP at the reverse-proxy layer using the `ADMIN_IP_ALLOWLIST` environment variable.
## How it works
@@ -23,7 +23,7 @@ Requests from allowlisted IPs reach the admin panel as normal.
## Configure
Run the install script — it walks you through the options, validates your input, and offers to restart the containers for you:
Run the install script which walks you through the options, validates your input, and offers to restart the containers for you:
```bash
$ ./install.sh configure-admin-access

42
docs/installation/script/advanced/trusted-proxies.md Normal file
View File

@@ -0,0 +1,42 @@
---
layout: default
title: Trusted proxies
parent: Advanced
grand_parent: Install Script
nav_order: 6
---
# Trusted proxies
When AliasVault sits behind another reverse proxy (HAProxy, Traefik, Cloudflare, an upstream nginx, etc.), the built-in nginx reads the real client IP from the `X-Forwarded-For` header so that audit logs and the IP allowlist see the actual client rather than the upstream proxy.
To prevent header spoofing, nginx only honors `X-Forwarded-For` when the request comes from an explicitly trusted upstream. The `TRUSTED_PROXIES` environment variable controls that list.
## How it works
For every incoming request, nginx checks the direct peer's IP against `TRUSTED_PROXIES`:
- If the peer IP matches a trusted entry, nginx replaces `$remote_addr` with the value from `X-Forwarded-For`.
- If it doesn't match, the header is ignored and the direct peer IP is used.
`real_ip_recursive` is enabled, so when a chain of trusted proxies is configured nginx walks the `X-Forwarded-For` list right-to-left until it finds the first untrusted address.
## Configure
Run the install script which walks you through the options, validates your input, and offers to restart the containers for you:
```bash
$ ./install.sh configure-trusted-proxies
```
You'll be prompted to choose one of:
| Option | Effect |
|---|---|
| Default | Trust all RFC1918 ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`). |
| Custom CIDRs/IPs | Trust only the listed proxies (recommended when you know your upstream proxy address). |
| None | Trust no upstream proxies. `X-Forwarded-For` is always ignored and the direct peer IP is logged. |
## Why narrow this down
The default of all RFC1918 ranges is convenient. Most setups place AliasVault and its upstream proxy in the same private network. But it does mean that **any** request originating from a private IP can spoof `X-Forwarded-For` and appear in the logs as a different client. If you have other workloads on the same private network, set `TRUSTED_PROXIES` to your specific upstream proxy address(es) so only that proxy is trusted to set the header.