feat: Option to not trust X-Forwarded-* headers from clients

If header values from a malicious client are passed to the backend server unchecked and unchanged, the client may be able to subvert security checks done by the backend server.
2025-07-01 14:25:46 +00:00 · 2022-03-16 00:59:03 -04:00
parent 5f15f04556
commit 8aa00fcea2
11 changed files with 230 additions and 4 deletions
--- a/app/docker-entrypoint.sh
+++ b/app/docker-entrypoint.sh
@ -109,6 +109,13 @@ if [[ $* == 'forego start -r' ]]; then
 	_resolvers

 	_setup_dhparam
+
+	if [ -z "${TRUST_DOWNSTREAM_PROXY}" ]; then
+		cat >&2 <<-EOT
+			Warning: TRUST_DOWNSTREAM_PROXY is not set; defaulting to "true". For security, you should explicitly set TRUST_DOWNSTREAM_PROXY to "false" if there is not a trusted reverse proxy in front of this proxy.
+			Warning: The default value of TRUST_DOWNSTREAM_PROXY might change to "false" in a future version of nginx-proxy. If you require TRUST_DOWNSTREAM_PROXY to be enabled, explicitly set it to "true".
+		EOT
+	fi
 fi

 exec "$@"