feat: reflecting changes for fix: X-Forwarded-For spoofing attack - h…

…eimdall
metakgp · Jul 4, 2024 · 717c16b · 717c16b
1 parent 0e5fc97
commit 717c16b
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf
@@ -9,12 +9,12 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Original-URI $request_uri;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
     # Unprotected routes
     ## Allows us to call the /v1/health endpoint for healthcheck
     location = /v1/health {
         proxy_pass http://naarad;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
     ## Allows the app to be functional 
     ## as it doesn't have Heimdall Session Auth
@@ -51,7 +51,6 @@ server {
         }
 
         proxy_pass http://naarad;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
     ## FRONTEND
     ### Permanently move the /signup endpoint
@@ -81,6 +80,7 @@ server {
         proxy_pass_request_body off;
         proxy_set_header Content-Length "";
         proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user
     }
 
     # Handle case when auth fails in /auth sub request