mirror of
https://github.com/Dokploy/templates.git
synced 2026-07-10 08:25:23 +02:00
fix(plane): tighten proxy TRUSTED_PROXIES to private_ranges (no IP spoofing)
Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For / X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on the private dokploy-network, so trust Caddy's built-in `private_ranges` token instead. Legitimate forwarded client IPs (Traefik is a private peer) still resolve correctly; XFF from public-IP peers is rejected if the proxy is ever exposed directly. Overridable via env for custom topologies. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -38,9 +38,13 @@ x-proxy-env: &proxy-env
|
||||
FILE_SIZE_LIMIT: ${FILE_SIZE_LIMIT:-5242880}
|
||||
BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads}
|
||||
# Caddy proxy: listen address (no upstream default in Caddyfile -> must be set,
|
||||
# else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts) + trusted proxies
|
||||
# else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts).
|
||||
SITE_ADDRESS: ${SITE_ADDRESS:-:80}
|
||||
TRUSTED_PROXIES: ${TRUSTED_PROXIES:-0.0.0.0/0}
|
||||
# trusted_proxies decides which peers may set X-Forwarded-For/X-Real-IP. Dokploy's
|
||||
# Traefik upstream always lives on the private dokploy-network, so trust only private
|
||||
# ranges (Caddy built-in) instead of 0.0.0.0/0 to prevent client-IP spoofing if the
|
||||
# proxy is ever exposed directly. Override with your real upstream CIDR if needed.
|
||||
TRUSTED_PROXIES: ${TRUSTED_PROXIES:-private_ranges}
|
||||
|
||||
x-mq-env: &mq-env
|
||||
RABBITMQ_HOST: ${RABBITMQ_HOST:-plane-mq}
|
||||
|
||||
@@ -46,9 +46,11 @@ env = [
|
||||
"AWS_S3_BUCKET_NAME=uploads",
|
||||
"FILE_SIZE_LIMIT=5242880",
|
||||
# Caddy proxy listen address + trusted proxies (required by the plane-proxy Caddyfile;
|
||||
# SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy)
|
||||
# SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy).
|
||||
# TRUSTED_PROXIES=private_ranges trusts only Dokploy's private-network upstream (Traefik),
|
||||
# avoiding client-IP spoofing from 0.0.0.0/0. Set a narrower CIDR if exposing directly.
|
||||
"SITE_ADDRESS=:80",
|
||||
"TRUSTED_PROXIES=0.0.0.0/0",
|
||||
"TRUSTED_PROXIES=private_ranges",
|
||||
"MINIO_ENDPOINT_SSL=0",
|
||||
"DEBUG=0",
|
||||
"GUNICORN_WORKERS=1",
|
||||
|
||||
Reference in New Issue
Block a user