From ff36ba8f086b3d7d712a207192464e8fb2e9c491 Mon Sep 17 00:00:00 2001 From: renaud gaudin Date: Thu, 31 Aug 2023 18:09:58 +0000 Subject: [PATCH] Accept X-Forwarded-For header Ideally we'd set it to our nginx ingress that sets it but we can't easily know the IP from the running API pod (it's a kube-system daemonset). Also, uvicorn only supports direct IP and cannot compute CIDR > https://github.com/encode/uvicorn/blob/fc2130bf1a740acaa502530079bfbd595fa7a94c/uvicorn/middleware/proxy_headers.py#L56 So we are accepting the first value of X-Forwarded-For header. Thankfully, nginx-ingress by default strips it so it cant be spoofed. > https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-forwarded-headers --- nautilus/api/api-configs.cm.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/nautilus/api/api-configs.cm.yaml b/nautilus/api/api-configs.cm.yaml index 5d796b6..684fccb 100644 --- a/nautilus/api/api-configs.cm.yaml +++ b/nautilus/api/api-configs.cm.yaml @@ -13,3 +13,4 @@ data: CHUNK_SIZE: "2MiB" REDIS_URI: "redis://redis-service:6379/0" CHANNEL_NAME: "s3_upload" + FORWARDED_ALLOW_IPS: "*"