From 56d90fb35346f59adfe161b78c4426c2bc2ea7c1 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Wed, 5 Jul 2023 00:23:48 +0200 Subject: [PATCH] [autopatch] Fix Host and X-Forwarded-For header spoofing --- conf/nginx.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 6acb77a..436d7e5 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -7,21 +7,21 @@ location ~ ^/$ { # static files location ^~ /browser { proxy_pass http://localhost:__PORT__; - proxy_set_header Host $http_host; + proxy_set_header Host $host; more_set_headers "X-Frame-Options: ALLOWALL"; } # WOPI discovery URL location ^~ /hosting/discovery { proxy_pass http://localhost:__PORT__; - proxy_set_header Host $http_host; + proxy_set_header Host $host; more_set_headers "X-Frame-Options: ALLOWALL"; } # Capabilities location ^~ /hosting/capabilities { proxy_pass http://localhost:__PORT__; - proxy_set_header Host $http_host; + proxy_set_header Host $host; more_set_headers "X-Frame-Options: ALLOWALL"; } @@ -30,7 +30,7 @@ location ~ ^/cool/(.*)/ws$ { proxy_pass http://localhost:__PORT__; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_read_timeout 36000s; more_set_headers "X-Frame-Options: ALLOWALL"; } @@ -38,7 +38,7 @@ location ~ ^/cool/(.*)/ws$ { # download, presentation and image upload location ~ ^/(c|l)ool { proxy_pass http://localhost:__PORT__; - proxy_set_header Host $http_host; + proxy_set_header Host $host; more_set_headers "X-Frame-Options: ALLOWALL"; } @@ -47,6 +47,6 @@ location ^~ /cool/adminws { proxy_pass http://localhost:__PORT__; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; - proxy_set_header Host $http_host; + proxy_set_header Host $host; proxy_read_timeout 36000s; }