fix(plane): tighten proxy TRUSTED_PROXIES to private_ranges (no IP spoofing)

Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For /
X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that
poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on
the private dokploy-network, so trust Caddy's built-in `private_ranges` token
instead. Legitimate forwarded client IPs (Traefik is a private peer) still
resolve correctly; XFF from public-IP peers is rejected if the proxy is ever
exposed directly. Overridable via env for custom topologies.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
LeoGomide
2026-06-03 10:17:09 -03:00
parent 34501dd8b5
commit b24dbc7611
2 changed files with 10 additions and 4 deletions

View File

@@ -38,9 +38,13 @@ x-proxy-env: &proxy-env
FILE_SIZE_LIMIT: ${FILE_SIZE_LIMIT:-5242880}
BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads}
# Caddy proxy: listen address (no upstream default in Caddyfile -> must be set,
# else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts) + trusted proxies
# else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts).
SITE_ADDRESS: ${SITE_ADDRESS:-:80}
TRUSTED_PROXIES: ${TRUSTED_PROXIES:-0.0.0.0/0}
# trusted_proxies decides which peers may set X-Forwarded-For/X-Real-IP. Dokploy's
# Traefik upstream always lives on the private dokploy-network, so trust only private
# ranges (Caddy built-in) instead of 0.0.0.0/0 to prevent client-IP spoofing if the
# proxy is ever exposed directly. Override with your real upstream CIDR if needed.
TRUSTED_PROXIES: ${TRUSTED_PROXIES:-private_ranges}
x-mq-env: &mq-env
RABBITMQ_HOST: ${RABBITMQ_HOST:-plane-mq}

View File

@@ -46,9 +46,11 @@ env = [
"AWS_S3_BUCKET_NAME=uploads",
"FILE_SIZE_LIMIT=5242880",
# Caddy proxy listen address + trusted proxies (required by the plane-proxy Caddyfile;
# SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy)
# SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy).
# TRUSTED_PROXIES=private_ranges trusts only Dokploy's private-network upstream (Traefik),
# avoiding client-IP spoofing from 0.0.0.0/0. Set a narrower CIDR if exposing directly.
"SITE_ADDRESS=:80",
"TRUSTED_PROXIES=0.0.0.0/0",
"TRUSTED_PROXIES=private_ranges",
"MINIO_ENDPOINT_SSL=0",
"DEBUG=0",
"GUNICORN_WORKERS=1",