From 95f40047efe5bf9cf0d32315a2b95f04217f613a Mon Sep 17 00:00:00 2001
From: dosera <doser.andre@gmail.com>
Date: Fri, 16 Jul 2021 11:04:52 +0200
Subject: [PATCH] =?UTF-8?q?Extend=20the=20fail2ban=20instructions=20with?=
 =?UTF-8?q?=20a=20hint=20on=20how=20to=20make=20X-Real-IP=E2=80=A6=20(#164?=
 =?UTF-8?q?46)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Following the merging of #14959 - Gitea is a lot more strict regarding the interpretation of `X-Real-IP` and `X-Forwarded-For` headers.

This PR updates the fail2ban documentation to include hints to set: `REVERSE_PROXY_TRUSTED_PROXIES` and `REVERSE_PROXY_LIMIT` appropriately.

See discussion in #16443

Co-authored-by: zeripath <art27@cantab.net>
---
 docs/content/doc/usage/fail2ban-setup.en-us.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/content/doc/usage/fail2ban-setup.en-us.md b/docs/content/doc/usage/fail2ban-setup.en-us.md
index f96cf889a3..0821b23a9f 100644
--- a/docs/content/doc/usage/fail2ban-setup.en-us.md
+++ b/docs/content/doc/usage/fail2ban-setup.en-us.md
@@ -108,3 +108,12 @@ this to your Nginx configuration so that IPs don't show up as 127.0.0.1:
 ```
 proxy_set_header X-Real-IP $remote_addr;
 ```
+
+The security options in `app.ini` need to be adjusted to allow the interpretation of the headers
+as well as the list of IP addresses and networks that describe trusted proxy servers
+(See the [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/#security-security) for more information).
+
+```
+REVERSE_PROXY_LIMIT = 1
+REVERSE_PROXY_TRUSTED_PROXIES = 127.0.0.1/8 ; 172.17.0.0/16 for the docker default network
+```