From 4ec6ef431e8188927e47dc744256f88b44cd409c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Thu, 14 Nov 2024 17:51:30 +0100
Subject: [PATCH] Trust the X-Real-IP coming from AWS

---
 ansible/roles/ooni-backend/templates/nginx-api-fsn.conf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf b/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf
index 9d6e1451..804c61e0 100644
--- a/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf
+++ b/ansible/roles/ooni-backend/templates/nginx-api-fsn.conf
@@ -218,6 +218,10 @@ server {
       # If remote_addr is ams-pg trust the X-Real-IP header
       set $external_remote_addr $http_x_real_ip;
     }
+    if ($remote_addr = "3.71.175.168") {
+      # If remote_addr is our AWS instance, trust the X-Real-IP header
+      set $external_remote_addr $http_x_real_ip;
+    }
     proxy_set_header X-Real-IP $external_remote_addr;
 
     proxy_cache apicache;