[chore] Allow suppressing trusted-proxies warning by disabling rate limiting (#3686)

This commit is contained in:
tobi 2025-01-26 12:21:57 +01:00 committed by GitHub
parent 3ab2d8621b
commit 2a46681147
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 24 additions and 2 deletions

View file

@ -63,9 +63,17 @@ If you are using docker compose, your docker-compose.yaml file should look somet
################################
```
Once you have made the necessary configuration changes, restart your instance and refresh the home page. If the message is gone, then the problem is resolved!
Once you have made the necessary configuration changes, **restart your instance** and refresh the home page.
If the message is gone, then the problem is resolved!
If you still see the warning message but with a different suggested IP range to add to `trusted-proxies`, then follow the same steps as above again, including the new suggested IP range in your config in addition to the one you just added.
!!! tip "Cloudflare IP Addresses"
If you are running with a CDN/proxy such as Cloudflare in front of your GoToSocial instance (not recommended), then you may need to add one or more of the Cloudflare IP addresses to your `trusted-proxies` in order to have rate limiting work properly. You can find a list of Cloudflare IP addresses here: https://www.cloudflare.com/ips/
## I can't seem to get `trusted-proxies` configured properly, can I just disable the warning?
There are some situations where it's not practically possible to get `trusted-proxies` configured correctly to detect the real client IP of incoming requests For example, if you're running GoToSocial behind a home internet router that cannot inject an `X-Forwarded-For` header, then your suggested entry to add to `trusted-proxies` will look something like `192.168.x.x`, but adding this to `trusted-proxies` won't resolve the issue.
If you've tried everything, then you can disable the warning message by just turning off rate limiting entirely, ie., by setting `advanced-rate-limit-requests` to 0 in your config.yaml, or setting the environment variable `GTS_ADVANCED_RATE_LIMIT_REQUESTS` to 0. Don't forget to **restart your instance** after changing this setting.

View file

@ -23,6 +23,7 @@
"github.com/gin-gonic/gin"
apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/config"
)
// WebPage encapsulates variables for
@ -96,6 +97,17 @@ func injectTrustedProxiesRec(
c *gin.Context,
obj map[string]any,
) {
if config.GetAdvancedRateLimitRequests() <= 0 {
// If rate limiting is disabled entirely
// there's no point in giving a trusted
// proxies rec, as proper clientIP is
// basically only used for rate limiting.
return
}
// clientIP = the client IP that gin
// derives based on x-forwarded-for
// and current trusted proxies.
clientIP := c.ClientIP()
if clientIP == "127.0.0.1" {
// Suggest precise 127.0.0.1/32.
@ -119,7 +131,9 @@ func injectTrustedProxiesRec(
if !hasRemoteIPHeader {
// Upstream hasn't set a
// remote IP header, bail.
// remote IP header so we're
// probably not in a reverse
// proxy setup, bail.
return
}