From 0f4ead759c8d6c7d020599338334e7a5a1ff6d49 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Sat, 15 Jan 2022 20:11:51 -0800
Subject: [PATCH] fix(docker): correct proxy configuration

- On non-localhost communication, this whitelists forwarded headers
  on all remote ips
- Add more headers
- Force https X-Forwarded-Proto
- Unset Forwarded header and rely on X-Forwarded-*

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 docker/config/nginx.conf      | 3 ++-
 docker/scripts/run-fastapi.sh | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker/config/nginx.conf b/docker/config/nginx.conf
index b5c09d08..5d983695 100644
--- a/docker/config/nginx.conf
+++ b/docker/config/nginx.conf
@@ -137,8 +137,9 @@ http {
         location / {
             proxy_pass http://asgi_backend;
             proxy_set_header Host $http_host;
+            proxy_set_header X-Forwarded-Protocol ssl;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Proto https;
             proxy_set_header X-Forwarded-Ssl on;
         }
     }
diff --git a/docker/scripts/run-fastapi.sh b/docker/scripts/run-fastapi.sh
index d3d75359..ed1e07ec 100755
--- a/docker/scripts/run-fastapi.sh
+++ b/docker/scripts/run-fastapi.sh
@@ -23,6 +23,8 @@ elif [ "$1" == "gunicorn" ]; then
     exec gunicorn \
         --log-config /docker/logging.conf \
         --bind "0.0.0.0:8000" \
+        --proxy-protocol \
+        --forwarded-allow-ips "*" \
         -w $FASTAPI_WORKERS \
         -k uvicorn.workers.UvicornWorker \
         aurweb.asgi:app