From b24dbc761196126b9564e366ba82c8615c33bada Mon Sep 17 00:00:00 2001 From: LeoGomide Date: Wed, 3 Jun 2026 10:17:09 -0300 Subject: [PATCH] fix(plane): tighten proxy TRUSTED_PROXIES to private_ranges (no IP spoofing) Defaulting TRUSTED_PROXIES to 0.0.0.0/0 makes Caddy trust X-Forwarded-For / X-Real-IP from any peer, allowing client-IP spoofing (CWE-348 / CWE-290) that poisons rate-limiting and audit logs. In Dokploy the only upstream is Traefik on the private dokploy-network, so trust Caddy's built-in `private_ranges` token instead. Legitimate forwarded client IPs (Traefik is a private peer) still resolve correctly; XFF from public-IP peers is rejected if the proxy is ever exposed directly. Overridable via env for custom topologies. Co-Authored-By: Claude Opus 4.8 (1M context) --- blueprints/plane/docker-compose.yml | 8 ++++++-- blueprints/plane/template.toml | 6 ++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/blueprints/plane/docker-compose.yml b/blueprints/plane/docker-compose.yml index b0b89db5..a41b344c 100644 --- a/blueprints/plane/docker-compose.yml +++ b/blueprints/plane/docker-compose.yml @@ -38,9 +38,13 @@ x-proxy-env: &proxy-env FILE_SIZE_LIMIT: ${FILE_SIZE_LIMIT:-5242880} BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads} # Caddy proxy: listen address (no upstream default in Caddyfile -> must be set, - # else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts) + trusted proxies + # else the `{$SITE_ADDRESS} { ... }` block is keyless and Caddy aborts). SITE_ADDRESS: ${SITE_ADDRESS:-:80} - TRUSTED_PROXIES: ${TRUSTED_PROXIES:-0.0.0.0/0} + # trusted_proxies decides which peers may set X-Forwarded-For/X-Real-IP. Dokploy's + # Traefik upstream always lives on the private dokploy-network, so trust only private + # ranges (Caddy built-in) instead of 0.0.0.0/0 to prevent client-IP spoofing if the + # proxy is ever exposed directly. Override with your real upstream CIDR if needed. + TRUSTED_PROXIES: ${TRUSTED_PROXIES:-private_ranges} x-mq-env: &mq-env RABBITMQ_HOST: ${RABBITMQ_HOST:-plane-mq} diff --git a/blueprints/plane/template.toml b/blueprints/plane/template.toml index ac5f869a..bbe23622 100644 --- a/blueprints/plane/template.toml +++ b/blueprints/plane/template.toml @@ -46,9 +46,11 @@ env = [ "AWS_S3_BUCKET_NAME=uploads", "FILE_SIZE_LIMIT=5242880", # Caddy proxy listen address + trusted proxies (required by the plane-proxy Caddyfile; - # SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy) + # SITE_ADDRESS has no upstream default, so leaving it unset crashes the proxy). + # TRUSTED_PROXIES=private_ranges trusts only Dokploy's private-network upstream (Traefik), + # avoiding client-IP spoofing from 0.0.0.0/0. Set a narrower CIDR if exposing directly. "SITE_ADDRESS=:80", - "TRUSTED_PROXIES=0.0.0.0/0", + "TRUSTED_PROXIES=private_ranges", "MINIO_ENDPOINT_SSL=0", "DEBUG=0", "GUNICORN_WORKERS=1",