Correct the handling of multiple X-Forwarded-For headers to Synapse.

benbz · benbz · commit 2c148dbb0ced · 2025-10-09T11:17:44.000+01:00
diff --git a/charts/matrix-stack/configs/haproxy/haproxy.cfg.tpl b/charts/matrix-stack/configs/haproxy/haproxy.cfg.tpl
@@ -26,6 +26,14 @@ defaults
 
   log global
 
+  # The Ingress Controller should appropriately set an X-Forwarded-For header
+  # We leave it alone if it has, but add in the source address in cases where it hasn't
+  # or the request hasn't come from the ingress controller (i.e. in-cluster)
+  option forwardfor if-none
+
+  # Set the RFC7239 `Forwarded` header
+  option forwarded
+
   # wait for 5s when connecting to a server
   timeout connect 5s
 
diff --git a/charts/matrix-stack/configs/synapse/partial-haproxy.cfg.tpl b/charts/matrix-stack/configs/synapse/partial-haproxy.cfg.tpl
@@ -39,21 +39,6 @@ frontend synapse-http-in
   http-request capture req.fhdr(x-forwarded-for) len 64
   http-request capture req.fhdr(user-agent) len 200
 
-  # before we change the 'src', stash it in a session variable
-  http-request set-var(sess.orig_src) src if !{ var(sess.orig_src) -m found }
-
-  # in case this is not the first request on the connection, restore the
-  # 'src' to the original, in case we fail to parse the x-f-f header.
-  http-request set-src var(sess.orig_src)
-
-  # Traditionally do this only for traffic from some limited IP addreses
-  # but the incoming router being what it is, means we have no fixed IP here.
-  http-request set-src hdr(x-forwarded-for)
-
-  # We always add a X-Forwarded-For header (clobbering any existing
-  # headers).
-  http-request set-header X-Forwarded-For %[src]
-
   # Ingresses by definition run on both 80 & 443 and there's no customising of that
   # It is up to the ingress controller and any annotations provided to it whether
   # it sets any additional headers or not or whether it redirects http -> https
diff --git a/newsfragments/788.changed.2.md b/newsfragments/788.changed.2.md
@@ -0,0 +1,7 @@
+Correct the handling of multiple X-Forwarded-For headers to Synapse.
+
+This may have exhibit itself as requests being incorrectly rate-limited by Synapse.
+
+The source IP logged by HAProxy is now always the IP connecting to HAProxy rather than
+a value extracted from the X-Forwarded-For header (if present). This is usually an IP
+for the ingress controller.
