Support trusted proxies in Workhorse config
What does this MR do and why?
Previously the Workhorse remote_ip in the access logs could
incorrectly show a proxy IP even if the
trusted_cidrs_for_x_forwarded_for config were set. That's because
the xff package that was used in labkit would only filter filter
proxy addresses that matched one of the following CIDR blocks:
127.0.0.0/810.0.0.0/8172.16.0.0/12192.168.0.0/16fc00::/7
With labkit!201 (merged), LabKit now matches the Rails implementation of filtering trusted proxies to determine the remote IP.
Relates to #325078 (closed)
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Edit the
workhorse/config.toml. - Add
trusted_cidrs_for_x_forwarded_for = ["127.0.0.1/32", "100.1.1.1/32"]to the top. gdk restart gitlab-workhorsegdk tail gitlab-workhorse- Now run
curl -H "X-Forwarded-For: 100.1.1.1, 1.2.3.4, 127.0.0.1" https://your-gdk-host:your-gdk-port/
You'll see that 1.2.3.4 should be the remote_ip:
{"backend_id":"rails","content_type":"text/plain; charset=utf-8","correlation_id":"01JTKN8CSPV097C2B1Q2SA9SN4","duration_ms":790,"host":"host.docker.internal:8080","level":"info","method":"GET","msg":"access","proto":"HTTP/1.1","read_bytes":385,"referrer":"","remote_addr":"100.1.1.1:65281","remote_ip":"1.2.3.4","route":"","route_id":"default","status":500,"system":"http","time":"2025-05-06T13:40:36-07:00","ttfb_ms":790,"uri":"/","user_agent":"curl/8.7.1","written_bytes":8272}MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Stan Hu