From a567d5dc3193286684fdf0b7cf287817bdfe6581 Mon Sep 17 00:00:00 2001
From: FreddleSpl0it <patschul@posteo.de>
Date: Tue, 18 Feb 2025 11:03:34 +0100
Subject: [PATCH] [Nginx] Add support for trusted proxies via env var

---
 data/Dockerfiles/nginx/bootstrap.py             | 3 ++-
 data/conf/nginx/templates/sites-default.conf.j2 | 6 ++++--
 docker-compose.yml                              | 4 +++-
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/data/Dockerfiles/nginx/bootstrap.py b/data/Dockerfiles/nginx/bootstrap.py
index ab95c2a6b..11e6fc202 100644
--- a/data/Dockerfiles/nginx/bootstrap.py
+++ b/data/Dockerfiles/nginx/bootstrap.py
@@ -43,10 +43,11 @@ def nginx_conf(env, template_vars):
 def prepare_template_vars():
   ipv4_network = os.getenv("IPV4_NETWORK", "172.22.1")
   additional_server_names = os.getenv("ADDITIONAL_SERVER_NAMES", "")
+  trusted_proxies = os.getenv("TRUSTED_PROXIES", "")
 
   template_vars = {
     'IPV4_NETWORK': ipv4_network,
-    'TRUSTED_NETWORK': os.getenv("TRUSTED_NETWORK", False),
+    'TRUSTED_PROXIES': [item.strip() for item in trusted_proxies.split(",") if item.strip()],
     'SKIP_RSPAMD': os.getenv("SKIP_RSPAMD", "n").lower() in ("y", "yes"),
     'SKIP_SOGO': os.getenv("SKIP_SOGO", "n").lower() in ("y", "yes"),
     'NGINX_USE_PROXY_PROTOCOL': os.getenv("NGINX_USE_PROXY_PROTOCOL", "n").lower() in ("y", "yes"),
diff --git a/data/conf/nginx/templates/sites-default.conf.j2 b/data/conf/nginx/templates/sites-default.conf.j2
index 23bce6cea..574bdb052 100644
--- a/data/conf/nginx/templates/sites-default.conf.j2
+++ b/data/conf/nginx/templates/sites-default.conf.j2
@@ -52,10 +52,12 @@ set_real_ip_from 10.0.0.0/8;
 set_real_ip_from 172.16.0.0/12;
 set_real_ip_from 192.168.0.0/16;
 set_real_ip_from fc00::/7;
-{% if not TRUSTED_NETWORK %}
+{% for TRUSTED_PROXY in TRUSTED_PROXIES %}
+set_real_ip_from {{ TRUSTED_PROXY }};
+{% endfor %}
+{% if not NGINX_USE_PROXY_PROTOCOL %}
 real_ip_header X-Forwarded-For;
 {% else %}
-set_real_ip_from {{ TRUSTED_NETWORK }};
 real_ip_header proxy_protocol;
 {% endif %}
 real_ip_recursive on;
diff --git a/docker-compose.yml b/docker-compose.yml
index 2cb6b98f1..cc4ee2b45 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -376,7 +376,7 @@ services:
         - php-fpm-mailcow
         - sogo-mailcow
         - rspamd-mailcow
-      image: mailcow/nginx:1.02
+      image: mailcow/nginx:1.03
       dns:
         - ${IPV4_NETWORK:-172.22.1}.254
       environment:
@@ -394,6 +394,8 @@ services:
         - RSPAMDHOST=${RSPAMDHOST:-}
         - REDISHOST=${REDISHOST:-}
         - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1}
+        - NGINX_USE_PROXY_PROTOCOL=${NGINX_USE_PROXY_PROTOCOL:-n}
+        - TRUSTED_PROXIES=${TRUSTED_PROXIES:-}
       volumes:
         - ./data/web:/web:ro,z
         - ./data/conf/rspamd/dynmaps:/dynmaps:ro,z