diff --git a/docs/configuration.md b/docs/configuration.md index 089253873..43fa6b704 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -518,8 +518,25 @@ do CORS calls. Set this to your public domain name. fail2ban with log entries for failed authorization attempts. Value should be IP address(es). + This setting also controls allauth's + [`ALLAUTH_TRUSTED_PROXY_COUNT`](https://docs.allauth.org/en/latest/account/configuration.html), + which is set to the number of proxies listed here. Without this, + allauth cannot determine the client IP address for rate limiting when + running behind a reverse proxy, resulting in a `403 Forbidden` on login. + Defaults to empty string. +#### [`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER=`](#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER) {#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER} + +: Sets allauth's +[`ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](https://docs.allauth.org/en/latest/account/configuration.html). +Use this when your reverse proxy sets a dedicated header for the real +client IP instead of `X-Forwarded-For`, for example `X-Real-IP` (nginx) +or `CF-Connecting-IP` (Cloudflare). When set, this takes precedence over +[`PAPERLESS_TRUSTED_PROXIES`](#PAPERLESS_TRUSTED_PROXIES). + + Defaults to none. + #### [`PAPERLESS_FORCE_SCRIPT_NAME=`](#PAPERLESS_FORCE_SCRIPT_NAME) {#PAPERLESS_FORCE_SCRIPT_NAME} : To host paperless under a subpath url like example.com/paperless you diff --git a/docs/migration-v3.md b/docs/migration-v3.md index e17dd3b65..4fff1f858 100644 --- a/docs/migration-v3.md +++ b/docs/migration-v3.md @@ -318,3 +318,11 @@ echo "Document ${DOCUMENT_ID} from ${DOCUMENT_CORRESPONDENT} tagged: ${DOCUMENT_ Update any pre- or post-consumption scripts that read `$1`, `$2`, etc. to use the corresponding environment variables instead. Environment variables have been the preferred option since v1.8.0. + +## Reverse Proxy and Login Rate Limiting + +Allauth changed how it determines the client IP address for login rate limiting. Users running +behind a reverse proxy may need to set +[`PAPERLESS_TRUSTED_PROXIES`](configuration.md#PAPERLESS_TRUSTED_PROXIES), +[`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](configuration.md#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER), +or both, to avoid `403 Forbidden` errors on login. diff --git a/src/paperless/settings/__init__.py b/src/paperless/settings/__init__.py index d021cffbb..5d208c9f3 100644 --- a/src/paperless/settings/__init__.py +++ b/src/paperless/settings/__init__.py @@ -454,6 +454,12 @@ PAPERLESS_URL = _parse_paperless_url() # For use with trusted proxies TRUSTED_PROXIES = get_list_from_env("PAPERLESS_TRUSTED_PROXIES") +# Derive allauth's proxy count from the same list so X-Forwarded-For is trusted +# correctly when users have configured PAPERLESS_TRUSTED_PROXIES. +ALLAUTH_TRUSTED_PROXY_COUNT = len(TRUSTED_PROXIES) +ALLAUTH_TRUSTED_CLIENT_IP_HEADER = os.getenv( + "PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER", +) USE_X_FORWARDED_HOST = get_bool_from_env("PAPERLESS_USE_X_FORWARD_HOST", "false") USE_X_FORWARDED_PORT = get_bool_from_env("PAPERLESS_USE_X_FORWARD_PORT", "false")