Use single option to specify networks and proxy IP addresses. By default trust all loopback IPs

Author: lafriks

custom/conf/app.example.ini

@@ -551,10 +551,8 @@ REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
 REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
 ; Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request
 REVERSE_PROXY_LIMIT = 1
-; List of IP addresses seperated by comma of trusted proxy servers. Use `*` to trust all.
-REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1
-; List of network addresses seperated by comma of trusted proxy servers. Example `10.0.0.0/24`.
-REVERSE_PROXY_TRUSTED_NETWORKS =
+; List of IP addresses and networks seperated by comma of trusted proxy servers. Use `*` to trust all.
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.0/8,::1/128
 ; The minimum password length for new Users
 MIN_PASSWORD_LENGTH = 6
 ; Set to true to allow users to import local server paths

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -392,8 +392,7 @@ relation to port exhaustion.
    authentication provided email.
 - `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request.
    Number of trusted proxy count. Set to zero to not use these headers.
-- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.1**: List of IP addresses separated by comma of trusted proxy servers. Use `*` to trust all.
-- `REVERSE_PROXY_TRUSTED_NETWORKS`: **<empty>**: List of network addresses separated by comma of trusted proxy servers. Example `10.0.0.0/24`.
+- `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all.
 - `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with git hook privilege to create custom git hooks.
    WARNING: Custom git hooks can be used to perform arbitrary code execution on the host operating system.
    This enables the users to access and modify this config file and the Gitea database and interrupt the Gitea service.

modules/setting/setting.go

@@ -170,8 +170,7 @@ var (
 	ReverseProxyAuthUser               string
 	ReverseProxyAuthEmail              string
 	ReverseProxyLimit                  int
-	ReverseProxyTrustedIPAddr          []string
-	ReverseProxyTrustedNet             []string
+	ReverseProxyTrustedProxies         []string
 	MinPasswordLength                  int
 	ImportLocalPaths                   bool
 	DisableGitHooks                    bool
@@ -827,11 +826,10 @@ func NewContext() {
 	ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
 
 	ReverseProxyLimit = sec.Key("REVERSE_PROXY_LIMIT").MustInt(1)
-	ReverseProxyTrustedIPAddr = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
-	if len(ReverseProxyTrustedIPAddr) == 0 {
-		ReverseProxyTrustedIPAddr = []string{"127.0.0.1"}
+	ReverseProxyTrustedProxies = sec.Key("REVERSE_PROXY_TRUSTED_PROXIES").Strings(",")
+	if len(ReverseProxyTrustedProxies) == 0 {
+		ReverseProxyTrustedProxies = []string{"127.0.0.0/8", "::1/128"}
 	}
-	ReverseProxyTrustedNet = sec.Key("REVERSE_PROXY_TRUSTED_NETWORKS").Strings(",")
 
 	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)

routers/routes/web.go

@@ -72,11 +72,12 @@ func commonMiddlewares() []func(http.Handler) http.Handler {
 		opt := proxy.NewForwardedHeadersOptions().
 			WithForwardLimit(setting.ReverseProxyLimit).
 			ClearTrustedProxies()
-		for _, ip := range setting.ReverseProxyTrustedIPAddr {
-			opt.AddTrustedProxy(ip)
-		}
-		for _, n := range setting.ReverseProxyTrustedNet {
-			opt.AddTrustedNetwork(n)
+		for _, n := range setting.ReverseProxyTrustedProxies {
+			if !strings.Contains(n, "/") {
+				opt.AddTrustedProxy(n)
+			} else {
+				opt.AddTrustedNetwork(n)
+			}
 		}
 		handlers = append(handlers, proxy.ForwardedHeaders(opt))
 	}