fix: trust docker gateway IP for reverse proxy auth
Deploy Dashboard / deploy (push) Successful in 1m35s
Deploy Dashboard / deploy (push) Successful in 1m35s
This commit is contained in:
@@ -113,8 +113,9 @@ async def login(creds: LoginRequest, request: Request):
|
||||
async def proxy_auth(request: Request):
|
||||
"""Auto-login when Authelia has already authenticated the user via forward-auth.
|
||||
Caddy sets Remote-User header after successful Authelia 2FA verification."""
|
||||
# Prevent IP spoofing: ensure proxy traffic is from localhost (Caddy)
|
||||
if request.client.host not in ("127.0.0.1", "::1"):
|
||||
# Prevent IP spoofing: ensure proxy traffic is from trusted proxy network
|
||||
import config
|
||||
if not config.is_trusted_proxy(request.client.host):
|
||||
logger.warning(f"Rejected proxy auth attempt from unauthorized IP: {request.client.host}")
|
||||
raise HTTPException(status_code=403, detail="Unauthorized proxy source")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user