Merge pull request #3038 from DynamoFox/support-reverse-proxy-trust

Add optional support to trust reverse proxies (via X-Forwarded-For)

config-sample.ini

@@ -21,3 +21,9 @@ https=false
 # path to certificate (run "bash bin/generate-cert.sh" to generate self-signed certificate). Relevant only if https=true
 certPath=
 keyPath=
+# setting to give trust to reverse proxies, a comma-separated list of trusted rev. proxy IPs can be specified (CIDR notation is permitted),
+# alternatively 'true' will make use of the leftmost IP in X-Forwarded-For, ultimately an integer can be used to tell about the number of hops between
+# Trilium (which is hop 0) and the first trusted rev. proxy. 
+# once set, expressjs will use the X-Forwarded-For header set by the rev. proxy to determinate the real IPs of clients.
+# expressjs shortcuts are supported: loopback(127.0.0.1/8, ::1/128), linklocal(169.254.0.0/16, fe80::/10), uniquelocal(10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7)
+trustedReverseProxy=false

src/www

@@ -44,6 +44,14 @@ async function startTrilium() {
     app.set('port', usedPort);
     app.set('host', usedHost);
 
+    // Check from config whether to trust reverse proxies to supply user IPs, hostnames and protocols
+    if (config['Network']['trustedReverseProxy']) {
+        if (config['Network']['trustedReverseProxy'] === true || config['Network']['trustedReverseProxy'].trim().length) {
+            app.set('trust proxy', config['Network']['trustedReverseProxy'])
+        }
+    }
+    log.info('Trusted reverse proxy: ' + app.get('trust proxy'))
+
     if (config['Network']['https']) {
         if (!config['Network']['keyPath'] || !config['Network']['keyPath'].trim().length) {
             throw new Error("keyPath in config.ini is required when https=true, but it's empty");