From c2b63661bed4d8e404a1d7d4773c3fa64819afa2 Mon Sep 17 00:00:00 2001
From: Steven 'Xaroth' Noorbergen <github@xaroth.nl>
Date: Wed, 17 Feb 2021 12:25:41 +0100
Subject: [PATCH] Change: Allow for configuring the realip module for nginx to
 pass the proper IP/Scheme to frappe.

---
 build/common/nginx-default.conf.template | 20 +++++++++++++++++---
 build/frappe-nginx/docker-entrypoint.sh  | 17 ++++++++++++++++-
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/build/common/nginx-default.conf.template b/build/common/nginx-default.conf.template
index 2008e655..82398514 100644
--- a/build/common/nginx-default.conf.template
+++ b/build/common/nginx-default.conf.template
@@ -6,6 +6,12 @@ upstream socketio-server {
     server ${FRAPPE_SOCKETIO}:${SOCKETIO_PORT} fail_timeout=0;
 }
 
+# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme.
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+    default $scheme;
+    https https;
+}
+
 server {
     listen 80;
     server_name $http_host;
@@ -16,6 +22,12 @@ server {
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
 
+    # Define ${UPSTREAM_REAL_IP_ADDRESS} as our trusted upstream address, so we will be using
+    # its ${UPSTREAM_REAL_IP_HEADER} address as our remote address
+    set_real_ip_from ${UPSTREAM_REAL_IP_ADDRESS};
+    real_ip_header ${UPSTREAM_REAL_IP_HEADER};
+    real_ip_recursive ${UPSTREAM_REAL_IP_RECURSIVE};
+
     location /assets {
         try_files $uri =404;
     }
@@ -27,10 +39,12 @@ server {
 
     location /socket.io {
         proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
         proxy_set_header X-Frappe-Site-Name $host;
-        proxy_set_header Origin $scheme://$http_host;
+        proxy_set_header Origin $proxy_x_forwarded_proto://$http_host;
         proxy_set_header Host $http_host;
 
         proxy_pass http://socketio-server;
@@ -50,8 +64,8 @@ server {
     }
 
     location @webserver {
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
         proxy_set_header X-Frappe-Site-Name $host;
         proxy_set_header Host $http_host;
         proxy_set_header X-Use-X-Accel-Redirect True;
diff --git a/build/frappe-nginx/docker-entrypoint.sh b/build/frappe-nginx/docker-entrypoint.sh
index 5d905bdf..b2f831e7 100755
--- a/build/frappe-nginx/docker-entrypoint.sh
+++ b/build/frappe-nginx/docker-entrypoint.sh
@@ -35,11 +35,26 @@ if [[ -z "$HTTP_TIMEOUT" ]]; then
     export HTTP_TIMEOUT=120
 fi
 
+if [[ -z "$UPSTREAM_REAL_IP_ADDRESS" ]]; then
+    export UPSTREAM_REAL_IP_ADDRESS=127.0.0.1
+fi
+
+if [[ -z "$UPSTREAM_REAL_IP_RECURSIVE" ]]; then
+    export UPSTREAM_REAL_IP_RECURSIVE=off
+fi
+
+if [[ -z "$UPSTREAM_REAL_IP_HEADER" ]]; then
+    export UPSTREAM_REAL_IP_HEADER="X-Forwarded-For"
+fi
+
 envsubst '${FRAPPE_PY}
     ${FRAPPE_PY_PORT}
     ${FRAPPE_SOCKETIO}
     ${SOCKETIO_PORT}
-    ${HTTP_TIMEOUT}' \
+    ${HTTP_TIMEOUT}
+    ${UPSTREAM_REAL_IP_ADDRESS}
+    ${UPSTREAM_REAL_IP_RECURSIVE}
+    ${UPSTREAM_REAL_IP_HEADER}' \
     < /etc/nginx/conf.d/default.conf.template > /etc/nginx/conf.d/default.conf
 
 echo "Waiting for frappe-python to be available on $FRAPPE_PY port $FRAPPE_PY_PORT"