zelo72
/
documentation
mirror of https://github.com/mastodon/documentation
1
0
Fork 0
Code Issues 6 Releases Wiki Activity
Full documentation repository for Mastodon
339 Commits 9 Branches 11 Tags 58 MiB
SCSS 56.2%
HTML 43%
JavaScript 0.8%
Go to file
Mark Doliner 17a5e151a5
Improve documentation for TRUSTED_PROXY_IP (#1144) 
* Improve documentation for TRUSTED_PROXY_IP

The documentation previously only indicated that `localhost` was trusted, but it appears that all private networks are trusted by default. I believe this because:

- I'm running my web and streaming processes within Docker containers and running Nginx on the Docker host. I believe they communicate over a 172.16.0.0/12 network that Docker creates. I tried looking at logs a bit and it _seems_ like things are working correctly. But if anyone has suggestions on how to verify that my Mastodon processes are recording the correct client IP, please let me know! We could include that advice in this documentation.
- I looked at the source code a bit and it appears that both the streaming and web processes use localhost and the private network ranges. But this is really my first time looking at the Mastodon code and I don't even know Ruby, so please double check me!
  - I believe the streaming processes uses Express JS. I believe it sets the trusted proxy IP [here](d11d15748c/streaming/index.js (L150)). Express documents the `loopback` and `uniquelocal` values [here](https://expressjs.com/en/guide/behind-proxies.html).
  - I'm less certain about web. It looks like the env var is parsed [here](d11d15748c/config/environments/production.rb (L44-L45)). It looks like `trusted_proxies` will be unset if the env var is unset. And maybe that results in [this check](https://github.com/mastodon/mastodon/blob/main/config/initializers/trusted_proxies.rb) getting bypassed? But it looks like Action Dispatch does it's own check [here](https://api.rubyonrails.org/classes/ActionDispatch/RemoteIp.html)?

* Try to improve the phrasing

Specifically I tried to make it less likely that people would do the wrong thing if they're using Cloudflare or a similar proxy service. It does seem pretty wordy now. I'm open to suggestions.
 		2023-01-06 07:54:14 +01:00
.github/workflows Deploy to Github Pages (#1138) 2022-12-30 21:54:01 +01:00
archetypes Update content for 4.0, part 2 (#1060) 2022-12-14 22:55:30 +01:00
assets Switch hosting to Vercel (#1113) 2022-12-21 06:26:37 +01:00
content Improve documentation for TRUSTED_PROXY_IP (#1144) 2023-01-06 07:54:14 +01:00
data Update documentation with contents by twrnh 2020-01-04 10:33:16 +01:00
i18n Update content for 4.0 (part 1) (#991) 2022-11-20 07:34:38 +01:00
layouts Switch hosting to Vercel (#1113) 2022-12-21 06:26:37 +01:00
static Update sponsors 2022-11-21 00:02:38 +01:00
.gitignore Switch hosting to Vercel (#1113) 2022-12-21 06:26:37 +01:00
.gitlab-ci.yml Update documentation with contents by twrnh 2020-01-04 10:33:16 +01:00
LICENSE Add LICENSE 2018-10-21 04:03:53 +02:00
README.md Add README 2020-01-05 20:26:27 +01:00
config.toml Update content for 4.0 (part 1) (#991) 2022-11-20 07:34:38 +01:00

README.md

Mastodon

View the documentation at https://docs.joinmastodon.org