security: Support proxy with rate limiting and include CI test coverage for nginx rev proxy (#4373)

Previously Etherpad would not pass the correct client IP address through and this caused the rate limiter to limit users behind reverse proxies.  This change allows Etherpad to use a client IP passed from a reverse proxy.

Note to devs: This header can be spoofed and spoofing the header could be used in an attack.  To mitigate additional *steps should be taken by Etherpad site admins IE doing rate limiting at proxy.*  This only really applies to large scale deployments but it's worth noting.

tests/ratelimit/Dockerfile.anotherip

@@ -0,0 +1,4 @@
+FROM node:alpine3.12
+WORKDIR /tmp
+RUN npm i etherpad-cli-client
+COPY ./tests/ratelimit/send_changesets.js /tmp/send_changesets.js

tests/ratelimit/Dockerfile.nginx

@@ -0,0 +1,2 @@
+FROM nginx
+COPY ./tests/ratelimit/nginx.conf /etc/nginx/nginx.conf

tests/ratelimit/nginx.conf

@@ -0,0 +1,26 @@
+events {}
+http {
+  server {
+        access_log  /dev/fd/1;
+        error_log   /dev/fd/2;
+        location / {
+            proxy_pass             http://172.23.42.2:9001/;
+            proxy_set_header       Host $host;
+            proxy_pass_header Server;
+            # be careful, this line doesn't override any proxy_buffering on set in a conf.d/file.conf
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
+            proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
+            proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
+            proxy_set_header Host $host;  # pass the host header                                                   
+            proxy_http_version 1.1;  # recommended with keepalive connections                                                    
+            # WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+	}
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+  }
+}

tests/ratelimit/send_changesets.js

@@ -0,0 +1,25 @@
+try{
+  var etherpad = require("../../src/node_modules/etherpad-cli-client");
+  //ugly
+} catch {
+  var etherpad = require("etherpad-cli-client")
+}
+var pad = etherpad.connect(process.argv[2]);
+pad.on("connected", function(){
+
+  setTimeout(function(){
+    setInterval(function(){
+      pad.append("1");
+    }, process.argv[3]);
+  },500); // wait because CLIENT_READY message is included in ratelimit
+
+  setTimeout(function(){
+    process.exit(0);
+  },11000)
+});
+// in case of disconnect exit code 1
+pad.on("message", function(message){
+  if(message.disconnect == 'rateLimited'){
+    process.exit(1);
+  }
+})

tests/ratelimit/testlimits.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+#sending changesets every 101ms should not trigger ratelimit
+node send_changesets.js http://127.0.0.1:8081/p/BACKEND_TEST_ratelimit_101ms 101
+if [[ $? -ne 0 ]];then
+  echo "FAILED: ratelimit was triggered when sending every 101 ms"
+  exit 1
+fi
+
+#sending changesets every 99ms should trigger ratelimit
+node send_changesets.js http://127.0.0.1:8081/p/BACKEND_TEST_ratelimit_99ms 99
+if [[ $? -ne 1 ]];then
+  echo "FAILED: ratelimit was not triggered when sending every 99 ms"
+  exit 1
+fi
+
+#sending changesets every 101ms via proxy
+node send_changesets.js http://127.0.0.1:8081/p/BACKEND_TEST_ratelimit_101ms 101 &
+pid1=$!
+
+#sending changesets every 101ms via second IP and proxy
+docker exec anotherip node /tmp/send_changesets.js http://172.23.42.1:80/p/BACKEND_TEST_ratelimit_101ms_via_second_ip 101 &
+pid2=$!
+
+wait $pid1
+exit1=$?
+wait $pid2
+exit2=$?
+
+echo "101ms with proxy returned with ${exit1}"
+echo "101ms via another ip returned with ${exit2}"
+
+if [[ $exit1 -eq 1 || $exit2 -eq 1 ]];then
+  echo "FAILED: ratelimit was triggered during proxy and requests via second ip"
+  exit 1
+fi