[bug] Trusted proxies warning is visible even if proxy set in config

[SadmL]

Describe the bug with a clear and concise description of what the bug is.

Getting warning banner

even if needed proxy is set in config

What's your GoToSocial Version?

0.17.4-SNAPSHOT+git-4c052c8

GoToSocial Arch

amd64 binary

What happened?

No response

What you expected to happen?

No warning 🤷

How to reproduce it?

Upgrade instance to commit from b42cb7a to latest atm 4c052c8

Anything else we need to know?

Using default Nginx config

server {
	server_name gts.sadium.cyou;

  	location / {
    	# set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
    	proxy_pass http://127.0.0.1:6060;
    	proxy_set_header Host $host;
    	proxy_set_header Upgrade $http_upgrade;
    	proxy_set_header Connection "upgrade";
    	proxy_set_header X-Forwarded-For $remote_addr;
    	proxy_set_header X-Forwarded-Proto $scheme;

	include includes/errors_pages.conf;
		
	}

	include includes/errors_paths.conf;	
		
  	client_max_body_size 40M;
		
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/gts.sadium.cyou/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gts.sadium.cyou/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = gts.sadium.cyou) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name gts.sadium.cyou;
    listen 80;
    return 404; # managed by Certbot

}

includes/errors_pages.conf

error_page 401 @401;
error_page 403 @403;
error_page 404 @404;
error_page 405 @405;
error_page 408 @408;
error_page 500 @500;
error_page 502 @502;
error_page 503 @503;
error_page 504 @504;

proxy_intercept_errors on;

includes/error_paths.conf

location @401 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /401.html 401.html;
}

location @403 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /403.html 403.html;
}

location @404 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /404.html 404.html;
}    

location @405 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /405.html 405.html;
}    

location @408 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /408.html 408.html;
}

location @500 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /500.html 500.html;
}

location @502 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /502.html 502.html;
}

location @503 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /503.html 503.html;
}

location @504 {
    root /mnt/2TB/sites/sadium/public/errors;
    try_files /504.html 504.html;
}

[tsmethurst]

Is Nginx itself running at 192.168.50.1 or do you have something else between wider internet -> nginx -> GtS? It looks to me like there might be some networking misconfiguration happening here, not entirely sure.

[SadmL]

Internet -> Router 192.168.50.1 -> Server 192.168.50.202 (Nginx and GtS is here, all bare metal, no virtualization)
I've added server local ip to proxy list - no changes, banner still here

[tsmethurst]

Ahhh interesting.... So I think what's happening is that nginx is seeing the traffic coming from your router and setting x-forwarded-for to 192.168.50.1, and then GoToSocial is trusting nginx to report that IP address correctly. You need to find a way to instruct your router to add the real client IP as an x-forwarded-for header, and then you need to instruct nginx to NOT add any x-forwarded-for headers.

[SadmL]

Tbh, understand nothing 🙇

Only thing is I'm noticed that if I comment line proxy_set_header X-Forwarded-For $remote_addr; banner address is changing from 192.168.50.1/32 to 127.0.0.1/32

[tsmethurst]

Mmm, I think in your case it might just be impossible to get the proper client ip. I'll make a pull request later so that turning off rate limiting disables the warning message :) This will probably be useful for other folks too.

[SadmL]

I haven't any problems with federation and rate-limiting with my instance that works since end of August 2024 even with almost 600 emoji that I've uploaded by hand by all this time.
Thanks 🙃

[tsmethurst]

I'll close this now as you can suppress the warning message by just turning rate limiting off entirely: #3686

[tsmethurst]

@SadmL I think maybe this issue describes the problem you were having, and I just misunderstood: #3690

In that case, I don't think you need to disable rate limiting after all, and you were right that it wasn't actually an issue. My apologies! I'll have a think tomorrow about the best way of handling the case of accessing your GtS instance from inside your own network (should we still show the warning or not, etc).