From 4efa97735aeec46e3adc5120323dc4e3ac827000 Mon Sep 17 00:00:00 2001
From: michael-smt <139211597+michael-smt@users.noreply.github.com>
Date: Mon, 4 Sep 2023 21:48:29 +0200
Subject: [PATCH 1/3] Proxy: change default offset to take final IP

As recommended by
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns
---
 weblate/settings_docker.py    | 2 +-
 weblate/settings_example.py   | 2 +-
 weblate/trans/models/_conf.py | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/weblate/settings_docker.py b/weblate/settings_docker.py
index 1e208d9c0904..41ce113fa726 100644
--- a/weblate/settings_docker.py
+++ b/weblate/settings_docker.py
@@ -1001,7 +1001,7 @@
 # Reverse proxy settings
 IP_PROXY_HEADER = get_env_str("WEBLATE_IP_PROXY_HEADER")
 IP_BEHIND_REVERSE_PROXY = bool(IP_PROXY_HEADER)
-IP_PROXY_OFFSET = 0
+IP_PROXY_OFFSET = -1
 
 # Sending HTML in mails
 EMAIL_SEND_HTML = True
diff --git a/weblate/settings_example.py b/weblate/settings_example.py
index f66828605766..f800c56e542d 100644
--- a/weblate/settings_example.py
+++ b/weblate/settings_example.py
@@ -669,7 +669,7 @@
 # Reverse proxy settings
 IP_PROXY_HEADER = "HTTP_X_FORWARDED_FOR"
 IP_BEHIND_REVERSE_PROXY = False
-IP_PROXY_OFFSET = 0
+IP_PROXY_OFFSET = -1
 
 # Sending HTML in mails
 EMAIL_SEND_HTML = True
diff --git a/weblate/trans/models/_conf.py b/weblate/trans/models/_conf.py
index caea04685cd7..1c8f7d8523e5 100644
--- a/weblate/trans/models/_conf.py
+++ b/weblate/trans/models/_conf.py
@@ -146,7 +146,7 @@ class WeblateConf(AppConf):
     # Rate limiting
     IP_BEHIND_REVERSE_PROXY = False
     IP_PROXY_HEADER = "HTTP_X_FORWARDED_FOR"
-    IP_PROXY_OFFSET = 0
+    IP_PROXY_OFFSET = -1
 
     # Authentication
     AUTH_TOKEN_VALID = 172800

From c61561b49c39fef83505ec0863077524657095d2 Mon Sep 17 00:00:00 2001
From: michael-smt <139211597+michael-smt@users.noreply.github.com>
Date: Tue, 5 Sep 2023 10:09:42 +0200
Subject: [PATCH 2/3] utils: add test for negative proxy offset

---
 weblate/utils/tests/test_middleware.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/weblate/utils/tests/test_middleware.py b/weblate/utils/tests/test_middleware.py
index af04e31e8755..169e77302050 100644
--- a/weblate/utils/tests/test_middleware.py
+++ b/weblate/utils/tests/test_middleware.py
@@ -3,6 +3,7 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 from unittest import TestCase
+from unittest.mock import patch
 
 from django.http.request import HttpRequest
 from django.test.utils import override_settings
@@ -61,3 +62,17 @@ def test_proxy_invalid(self):
         request.META["HTTP_X_FORWARDED_FOR"] = "2.3.4"
         middleware = ProxyMiddleware(self.get_response)
         self.assertEqual(middleware(request), "response")
+
+    @override_settings(
+        IP_BEHIND_REVERSE_PROXY=True,
+        IP_PROXY_HEADER="HTTP_X_FORWARDED_FOR",
+        IP_PROXY_OFFSET=-1,
+    )
+    def test_proxy_invalid_last(self):
+        with patch("weblate.middleware.report_error") as mock_report_error:
+            request = HttpRequest()
+            request.META["REMOTE_ADDR"] = "1.2.3.4"
+            request.META["HTTP_X_FORWARDED_FOR"] = "2.3.4, 1.2.3.4"
+            middleware = ProxyMiddleware(self.get_response)
+            self.assertEqual(middleware(request), "response")
+            mock_report_error.assert_not_called()

From d25f9de22aba3d0487d21351aaf515f4610375df Mon Sep 17 00:00:00 2001
From: michael-smt <139211597+michael-smt@users.noreply.github.com>
Date: Tue, 5 Sep 2023 10:30:35 +0200
Subject: [PATCH 3/3] docs: change of ip proxy offset default value

---
 docs/admin/config.rst | 9 +++++++--
 docs/changes.rst      | 2 ++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/docs/admin/config.rst b/docs/admin/config.rst
index 9d2d213a0233..f6338a3012b8 100644
--- a/docs/admin/config.rst
+++ b/docs/admin/config.rst
@@ -940,19 +940,24 @@ Defaults to ``HTTP_X_FORWARDED_FOR``.
 IP_PROXY_OFFSET
 ---------------
 
+.. versionchanged:: 5.0.1
+
+    The default changed from 1 to -1.
+
 Indicates which part of :setting:`IP_PROXY_HEADER` is used as client IP
 address.
 
 Depending on your setup, this header might consist of several IP addresses,
-(for example ``X-Forwarded-For: a, b, client-ip``) and you can configure
+(for example ``X-Forwarded-For: client-ip, proxy-a, proxy-b``) and you can configure
 which address from the header is used as client IP address here.
 
 .. warning::
 
    Setting this affects the security of your installation. You should only
    configure it to use trusted proxies for determining the IP address.
+   Please check <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns> for more details.
 
-Defaults to 0.
+Defaults to -1.
 
 .. seealso::
 
diff --git a/docs/changes.rst b/docs/changes.rst
index d23cabcb9d29..804747fe64e8 100644
--- a/docs/changes.rst
+++ b/docs/changes.rst
@@ -20,6 +20,8 @@ Not yet released.
 
 **Compatibility**
 
+* The default value of :setting::`IP_PROXY_OFFSET` has been changed from 1 to -1.
+
 **Upgrading**
 
 Please follow :ref:`generic-upgrade-instructions` in order to perform update.