From 717c16b3d8e0ab025f3465455f358101b7e4cb31 Mon Sep 17 00:00:00 2001
From: proffapt <proffapt@pm.me>
Date: Fri, 5 Jul 2024 00:48:24 +0530
Subject: [PATCH] feat: reflecting changes for fix: X-Forwarded-For spoofing
 attack - heimdall

---
 metaploy/naarad.metaploy.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/metaploy/naarad.metaploy.conf b/metaploy/naarad.metaploy.conf
index 3bed28c..cde81fa 100644
--- a/metaploy/naarad.metaploy.conf
+++ b/metaploy/naarad.metaploy.conf
@@ -9,12 +9,12 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Original-URI $request_uri;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
     # Unprotected routes
     ## Allows us to call the /v1/health endpoint for healthcheck
     location = /v1/health {
         proxy_pass http://naarad;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
     ## Allows the app to be functional 
     ## as it doesn't have Heimdall Session Auth
@@ -51,7 +51,6 @@ server {
         }
 
         proxy_pass http://naarad;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
     ## FRONTEND
     ### Permanently move the /signup endpoint
@@ -81,6 +80,7 @@ server {
         proxy_pass_request_body off;
         proxy_set_header Content-Length "";
         proxy_set_header Cookie $http_cookie;
+        proxy_set_header X-Real-IP $remote_addr; # For heimdall to see, real user
     }
 
     # Handle case when auth fails in /auth sub request