From 41661b134d72b262a9518c6adc2ec57c147226a0 Mon Sep 17 00:00:00 2001 From: tobi Date: Sun, 26 Jan 2025 10:14:59 +0100 Subject: [PATCH] [chore] Allow suppressing trusted-proxies warning by disabling rate limiting --- docs/configuration/trusted_proxies.md | 10 +++++++++- internal/api/util/template.go | 16 +++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/configuration/trusted_proxies.md b/docs/configuration/trusted_proxies.md index 6852e22e1..3f339fa1d 100644 --- a/docs/configuration/trusted_proxies.md +++ b/docs/configuration/trusted_proxies.md @@ -63,9 +63,17 @@ If you are using docker compose, your docker-compose.yaml file should look somet ################################ ``` -Once you have made the necessary configuration changes, restart your instance and refresh the home page. If the message is gone, then the problem is resolved! +Once you have made the necessary configuration changes, **restart your instance** and refresh the home page. + +If the message is gone, then the problem is resolved! If you still see the warning message but with a different suggested IP range to add to `trusted-proxies`, then follow the same steps as above again, including the new suggested IP range in your config in addition to the one you just added. !!! tip "Cloudflare IP Addresses" If you are running with a CDN/proxy such as Cloudflare in front of your GoToSocial instance (not recommended), then you may need to add one or more of the Cloudflare IP addresses to your `trusted-proxies` in order to have rate limiting work properly. You can find a list of Cloudflare IP addresses here: https://www.cloudflare.com/ips/ + +## I can't seem to get `trusted-proxies` configured properly, can I just disable the warning? + +There are some situations where it's not practically possible to get `trusted-proxies` configured correctly to detect the real client IP of incoming requests For example, if you're running GoToSocial behind a home internet router that cannot inject an `X-Forwarded-For` header, then your suggested entry to add to `trusted-proxies` will look something like `192.168.x.x`, but adding this to `trusted-proxies` won't resolve the issue. + +If you've tried everything, then you can disable the warning message by just turning off rate limiting entirely, ie., by setting `advanced-rate-limit-requests` to 0 in your config.yaml, or setting the environment variable `GTS_ADVANCED_RATE_LIMIT_REQUESTS` to 0. Don't forget to **restart your instance** after changing this setting. diff --git a/internal/api/util/template.go b/internal/api/util/template.go index fcfd80956..f58563660 100644 --- a/internal/api/util/template.go +++ b/internal/api/util/template.go @@ -23,6 +23,7 @@ "github.com/gin-gonic/gin" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" + "github.com/superseriousbusiness/gotosocial/internal/config" ) // WebPage encapsulates variables for @@ -96,6 +97,17 @@ func injectTrustedProxiesRec( c *gin.Context, obj map[string]any, ) { + if config.GetAdvancedRateLimitRequests() <= 0 { + // If rate limiting is disabled entirely + // there's no point in giving a trusted + // proxies rec, as proper clientIP is + // basically only used for rate limiting. + return + } + + // clientIP = the client IP that gin + // derives based on x-forwarded-for + // and current trusted proxies. clientIP := c.ClientIP() if clientIP == "127.0.0.1" { // Suggest precise 127.0.0.1/32. @@ -119,7 +131,9 @@ func injectTrustedProxiesRec( if !hasRemoteIPHeader { // Upstream hasn't set a - // remote IP header, bail. + // remote IP header so we're + // probably not in a reverse + // proxy setup, bail. return }