Hello,
When you use the PROXY protocol with Nginx, you have to set set_real_ip_from, with the downstream (fly.io’s) proxy CIDR. The intention here is to avoid a random client talk to you over the PROXY protocol and spoof addresses.
Is it safe to assume that Fly.io’s proxies already reject clients that talk the PROXY protocol? Meaning that set_real_ip_from 0.0.0.0/0; can be safely used. Otherwise what range should be used?
If you are using proxy_proto handler fly-proxy always adds PROXY protocol header to the connection forwarded to your app. If a client establishes a connection to your app via fly-proxy and sends its own PROXY protcol header, the proxy won’t reject the connection but your app should see two PROXY protocol headers - the first one inserted by fly-proxy and the next one sent originally by the client. I assume nginx will look at the first one only.
If you are trying to protect the app from requests over 6pn (e.g. from other instances of your app/your other apps), you can set set_real_ip_from to 172.16.0.0/16. That’s the range used by the proxy for egress connections to machines.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.