[docs] Clarify that reverse proxy setups need trusted-proxies (#1127)

* [docs] Clarify that reverse proxy setups need trusted-proxies * Remove the jq usage
superseriousbusiness · Nov 23, 2022 · 8942a70 · 8942a70
1 parent 5ba5fb3
commit 8942a70
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 0 deletions.
diff --git a/docs/installation_guide/apache-httpd.md b/docs/installation_guide/apache-httpd.md
@@ -100,6 +100,8 @@ You should also change `http://localhost:8080` to the correct address and port o
 
 `ProxyPreserveHost On` is essential: It guarantees that the proxy and the GoToSocial speak of the same Server name. If not, GoToSocial will build the wrong authentication headers, and all attempts at federation will be rejected with 401 Unauthorized.
 
+By default, apache sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
+
 Save and close the config file.
 
 Now we'll need to link the file we just created to the folder that Apache HTTP Server reads configurations for active sites from.

diff --git a/docs/installation_guide/caddy.md b/docs/installation_guide/caddy.md
@@ -77,6 +77,8 @@ example.org {
 }
 ```
 
+By default, caddy sets `X-Forwarded-For` in forwarded requests. To make this and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
+
 For advanced configuration check the [reverse_proxy directive](https://caddyserver.com/docs/caddyfile/directives/reverse_proxy) at the Caddy documentation.
 
 Now check for configuration errors.

diff --git a/docs/installation_guide/docker.md b/docs/installation_guide/docker.md
@@ -98,6 +98,35 @@ If you want to use [LetsEncrypt](../configuration/letsencrypt.md) for ssl certif
 2. Remove the `#` before `- "80:80"` in the `ports` section.
 3. (Optional) Set `GTS_LETSENCRYPT_EMAIL_ADDRESS` to a valid email address to receive certificate expiry warnings etc.
 
+#### Reverse proxies
+
+The default port bindings are for exposing GoToSocial directly and publicly. Remove the `#` in front the line that forwards `127.0.0.1:8080:8080` which makes port `8080` available only to the local host. Change that `127.0.0.1` if the reverse proxy is somewhere else.
+
+To ensure [rate limiting](../api/ratelimiting.md) by IP works, remove the `#` in front of `GTS_TRUSTED_PROXIES` and set it to the IP the requests from the reverse proxy are coming from. That's usually the value of the `Gateway` field of the docker network.
+
+```text
+$ docker network inspect gotosocial_gotosocial
+[
+    {
+        "Name": "gotosocial_gotosocial",
+        [...]
+        "IPAM": {
+            "Driver": "default",
+            "Options": null,
+            "Config": [
+                {
+                    "Subnet": "172.19.0.0/16",
+                    "Gateway": "172.19.0.1"
+                }
+            ]
+        },
+        [...]
+```
+
+In the example above, it would be `172.19.0.1`.
+
+If unsure, skip the trusted proxies step, continue with the next sections, and once it's running get the `clientIP` from the docker logs.
+
 ### Start GoToSocial
 
 With those small changes out of the way, you can now start GoToSocial with the following command:

diff --git a/docs/installation_guide/nginx.md b/docs/installation_guide/nginx.md
@@ -86,6 +86,8 @@ If you're running GoToSocial on another machine with the local ip of 192.168.178
 
 **Note**: `client_max_body_size` is set to 40M in this example, which is the default max video upload size for GoToSocial. You can make this value larger or smaller if necessary. The nginx default is only 1M, which is rather too small.
 
+**Note**: To make `X-Forwarded-For` and rate limiting work, set the `trusted-proxies` configuration variable. See the [rate limiting](../api/ratelimiting.md) and [general configuration](../configuration/general.md) docs
+
 Next we'll need to link the file we just created to the folder that nginx reads configurations for active sites from.
 
 ```bash

diff --git a/example/docker-compose/docker-compose.yaml b/example/docker-compose/docker-compose.yaml
@@ -13,9 +13,14 @@ services:
       GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
       GTS_LETSENCRYPT_ENABLED: "false"
       GTS_LETSENCRYPT_EMAIL_ADDRESS: ""
+      ## For reverse proxy setups:
+      # GTS_TRUSTED_PROXIES: "172.x.x.x"
     ports:
       - "443:8080"
+      ## For letsencrypt:
       #- "80:80"
+      ## For reverse proxy setups:
+      #- "127.0.0.1:8080:8080"
     volumes:
       - ~/gotosocial/data:/gotosocial/storage
     restart: "always"