/dokku-nginx-vhost-trustproxy

Dokku plugin for trusting nginx-vhost proxy headers

Primary LanguageShell

DOKKU Blazing Fast

dokku-nginx-vhost-trustproxy

If your deployment architecture is proxy* -> dokku-host -> app then you most probably want the client's remote IP within the app to actually be the correct client IP and not the IP of the known proxy.

This plugin enables allowing an application's dokku-host nginx-vhost to forward the correct headers (X-Forwarded-*) from the upstream proxy to the downstream app.

Installation

# on 0.4.x+
sudo dokku plugin:install https://github.com/kingsquare/dokku-nginx-vhost-trustproxy.git#v0.0.1-alpha2

Commands

Command Description
nginx-vhost-trustproxy:enable <app> [depth] Trust the nth hop from the dokku host as the client IP. Default is 1 so dokku-host -> app. For each extra proxy increase the depth. This sets an environment property NGINX_VHOST_TRUSTPROXY with the depth + 1
nginx-vhost-trustproxy:disable <app> Disable trustproxy This reverts to the default dokku behaviour.
nginx-vhost-trustproxy:status <app> Get trustproxy status (if its enabled / disabled)

Application usage

Your app will be able to access the environment NGINX_VHOST_TRUSTPROXY. The value will be the trusted depth (including the dokku host; i.e. 1 + 1). The left most IP according to your depth should be used as the Client/Remote IP.

e.g.

Hop 0 Hop 1 Hop 2
app dokku-vhost proxy

expressjs example

In your application you will have to use some kind of trust proxy to use the "correct" IP as the client IP. For example the trust proxy setting in expressjs. If you are not using express see the implementation in proxy-addr. For other technologies/languages/platforms see their relevant documentation.

  app.set('trust proxy', process.env.NGINX_VHOST_TRUSTPROXY || 1);

This will trust either the configured depth of hops (including the dokku host) or just the one (to the dokku host).

Credits

This is slightly based on the reasoning for expressjs's trust proxy setting.