security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)

Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies. This change allows Etherpad to use a client IP passed from a reverse proxy. Note to devs: This header can be spoofed and spoofing the header could be used in an attack. To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.* This only really applies to large scale deployments but it's worth noting.
2025-04-30 20:29:13 -04:00 · 2020-10-01 11:39:01 +02:00 · 2020-10-01 11:39:01 +02:00 · ceb09ce99a
commit ceb09ce99a
parent dbef630f44
9 changed files with 120 additions and 3 deletions
--- a/.travis.yml
+++ b/.travis.yml
@ -99,6 +99,18 @@ jobs:
        - "npm install -g etherpad-load-test"
      script:
        - "tests/frontend/travis/runnerLoadTest.sh"
+    - name: "Test rate limit"
+      install:
+        - "docker network create --subnet=172.23.42.0/16 ep_net"
+        - "docker build -f Dockerfile -t epl-debian-slim ."
+        - "docker build -f tests/ratelimit/Dockerfile.nginx -t nginx-latest ."
+        - "docker build -f tests/ratelimit/Dockerfile.anotherip -t anotherip ."
+        - "docker run -p 8081:80 --rm --network ep_net --ip 172.23.42.1 -d nginx-latest"
+        - "docker run --name etherpad-docker -p 9000:9001 --rm --network ep_net --ip 172.23.42.2 -e 'TRUST_PROXY=true' epl-debian-slim &"
+        - "docker run --rm --network ep_net --ip 172.23.42.3 --name anotherip -dt anotherip"
+        - "./bin/installDeps.sh"
+      script:
+        - "cd tests/ratelimit && bash testlimits.sh"

 notifications:
  irc: