From 6562db151853e44e1c9005b8a932d7e3e77408a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Gierwia=C5=82o?= Date: Wed, 3 Dec 2025 19:30:58 +0100 Subject: [PATCH] fix(backend): enable trust proxy for correct client IP detection - Added app.set('trust proxy', 1) to allow Express to read proxy headers - Enables proper client IP detection behind nginx reverse proxy - Added /api/debug/ip endpoint for IP forwarding verification Without trust proxy, Express ignores X-Forwarded-For and X-Real-IP headers, causing all requests to appear from nginx container IP (172.x.x.x). This fix ensures: - Activity logs record correct client IPs - Rate limiting works per actual client IP - Security features function properly --- backend/src/app.js | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/backend/src/app.js b/backend/src/app.js index 715fb5d..5476f75 100644 --- a/backend/src/app.js +++ b/backend/src/app.js @@ -8,6 +8,10 @@ const { apiLimiter } = require('./middleware/rateLimiter'); const app = express(); +// Trust proxy - Required for correct IP detection behind nginx/load balancer +// This allows Express to read X-Forwarded-For and X-Real-IP headers +app.set('trust proxy', 1); + // Security Headers (helmet) app.use(helmet({ contentSecurityPolicy: { @@ -110,6 +114,20 @@ app.get('/api/health', (req, res) => { }); }); +// IP check endpoint (for debugging - remove in production) +app.get('/api/debug/ip', (req, res) => { + const { getClientIP } = require('./utils/request'); + res.json({ + clientIP: getClientIP(req), + headers: { + 'x-forwarded-for': req.headers['x-forwarded-for'], + 'x-real-ip': req.headers['x-real-ip'], + }, + expressIP: req.ip, + socketIP: req.connection?.remoteAddress, + }); +}); + // Apply rate limiting to all API routes app.use('/api/', apiLimiter);