SipsOfCode/infrastructure
2
2
Fork 0
Code Issues 6 Pull requests 4 Releases Activity

feat(forgejo): Configure trusted proxies via ansible vars #357

Merged
histalek merged 1 commit from forgejo-trusted-proxies into main 2025-09-21 16:19:25 +02:00
Conversation 3 Commits 1 Files changed 2 +6
histalek commented 2025-08-23 18:22:04 +02:00
Owner
Copy link

This allows forgejo to trust the X-Forwarded-For or the X-Real-IP
header from the configured proxies and therefore set the correct remote
ip in logs.

This allows forgejo to trust the `X-Forwarded-For` or the `X-Real-IP` header from the configured proxies and therefore set the correct remote ip in logs.
feat(forgejo): Configure trusted proxies via ansible vars
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
0642e755f2
 
This allows forgejo to trust the `X-Forwarded-For` or the `X-Real-IP`
header from the configured proxies and therefore set the correct remote
ip in logs.
requested review from Owners 2025-08-23 18:22:05 +02:00
histalek commented 2025-08-24 16:55:52 +02:00
Author
Owner
Copy link

Tbh i don't know how this would interact (or would even be needed) if we would proxy to forgejo via fcgi, http+unix or fcgi+unix.

Currently we only really need this as forgejo defaults to the localhost ip networks for this setting but in our setup forgejo sees the "podman" ip of the caddy container which is not in the localhost network.

For the 2 fcgi options i would assume this to not be necessary but i don't actually know. Maybe these would be alternatives to consider (fcgi would also get around the http/1.1 desync shenanigans)

Tbh i don't know how this would interact (or would even be needed) if we would proxy to forgejo via `fcgi`, `http+unix` or `fcgi+unix`. Currently we only really need this as forgejo defaults to the localhost ip networks for this setting but in our setup forgejo sees the "podman" ip of the caddy container which is not in the localhost network. For the 2 fcgi options i would assume this to not be necessary but i don't actually know. Maybe these would be alternatives to consider (fcgi would also get around the http/1.1 desync shenanigans)
saibotk requested changes 2025-08-31 16:06:51 +02:00
Dismissed
roles/forgejo/defaults/main.yml Outdated
@ -28,6 +28,10 @@ forgejo_first_admin_email: "forgejo@example.com"
# forgejo_lfs_jwt_secret: ""
# forgejo_oauth2_jwt_secret: ""
# A comma seperated list of ip networks for trusted reverse proxy servers
saibotk commented 2025-08-31 16:06:48 +02:00
Owner
Copy link

This is good as is, but because it is not a working default value, we should add a note on what IPs to enter here (caddy network).

This is good as is, but because it is not a working default value, we should add a note on what IPs to enter here (caddy network).
histalek commented 2025-09-03 16:20:36 +02:00
Author
Owner
Copy link

Fair point about the note.

However, just to be clear: this default value is the same as forgejo's default value for this setting. If this ansible var does not get changed by anyone running this role this change as a whole does not result in a meaningful config change (the file contents will of course be changed but the resulting config is the same as far as forgejo is concerned)

Fair point about the note. However, just to be clear: this default value is the same as forgejo's default value for this setting. If this ansible var does not get changed by anyone running this role this change as a whole does not result in a meaningful config change (the file contents will of course be changed but the resulting config is the same as far as forgejo is concerned)
👍 1
histalek commented 2025-09-20 10:43:07 +02:00
Author
Owner
Copy link

fixed in 10226bb603

fixed in 10226bb603bf703d62f1080fbb89d447225a1619
saibotk marked this conversation as resolved
histalek force-pushed forgejo-trusted-proxies from 0642e755f2 to b7080ff210 2025-09-20 10:33:32 +02:00 Compare
!fixup from codereview
All checks were successful
ci/woodpecker/pr/ansible-lint Pipeline was successful
Details
10226bb603
requested review from saibotk 2025-09-20 10:43:10 +02:00
saibotk approved these changes 2025-09-21 15:59:44 +02:00
histalek force-pushed forgejo-trusted-proxies from 10226bb603 to 285192756e 2025-09-21 16:19:01 +02:00 Compare
histalek deleted branch forgejo-trusted-proxies 2025-09-21 16:19:25 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
saibotk
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
histalek
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SipsOfCode/infrastructure#357
No description provided.
Delete branch "forgejo-trusted-proxies"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?