From 93b1db1ab043911d718f44ed9ecf9509bad20c90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Wed, 11 Dec 2024 18:02:00 -0500
Subject: [PATCH] Fix setting X-Forwarded-For inside of ALB setup

If somebody is setting X-Forwarded-For it will lead to X-Real-Ip
containing a list instead of a fixed IP.

We can instead trust the last item in the X-Forwarded-For list since
this comes from ALB as we are running it in append mode (see:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html)
---
 .../reverseproxy/templates/backend-proxy.conf.template       | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ooniapi/services/reverseproxy/templates/backend-proxy.conf.template b/ooniapi/services/reverseproxy/templates/backend-proxy.conf.template
index 9bf16fbc..d9b80963 100644
--- a/ooniapi/services/reverseproxy/templates/backend-proxy.conf.template
+++ b/ooniapi/services/reverseproxy/templates/backend-proxy.conf.template
@@ -3,6 +3,7 @@ gzip_proxied any;
 gzip_types text/plain application/json;
 gzip_min_length 1000;
 
+
 server {
     listen 8080;
     location /stub_status {
@@ -11,6 +12,8 @@ server {
 }
 
 server {
+    real_ip_header X-Forwarded-For;
+
     listen 80;
 
     server_name _;
@@ -26,7 +29,7 @@ server {
         proxy_set_header Connection 'upgrade';
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Real-IP $http_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
         proxy_cache_bypass $http_upgrade;
     }
 }