fix(backend): enable trust proxy for correct client IP detection

- Added app.set('trust proxy', 1) to allow Express to read proxy headers - Enables proper client IP detection behind nginx reverse proxy - Added /api/debug/ip endpoint for IP forwarding verification Without trust proxy, Express ignores X-Forwarded-For and X-Real-IP headers, causing all requests to appear from nginx container IP (172.x.x.x). This fix ensures: - Activity logs record correct client IPs - Rate limiting works per actual client IP - Security features function properly
2025-12-03 19:30:58 +01:00
parent d8d04adfc6
commit 6562db1518
1 changed files with 18 additions and 0 deletions
--- a/backend/src/app.js
+++ b/backend/src/app.js
@@ -8,6 +8,10 @@ const { apiLimiter } = require('./middleware/rateLimiter');

 const app = express();

+// Trust proxy - Required for correct IP detection behind nginx/load balancer
+// This allows Express to read X-Forwarded-For and X-Real-IP headers
+app.set('trust proxy', 1);
+
 // Security Headers (helmet)
 app.use(helmet({
  contentSecurityPolicy: {
@@ -110,6 +114,20 @@ app.get('/api/health', (req, res) => {
  });
 });

+// IP check endpoint (for debugging - remove in production)
+app.get('/api/debug/ip', (req, res) => {
+  const { getClientIP } = require('./utils/request');
+  res.json({
+    clientIP: getClientIP(req),
+    headers: {
+      'x-forwarded-for': req.headers['x-forwarded-for'],
+      'x-real-ip': req.headers['x-real-ip'],
+    },
+    expressIP: req.ip,
+    socketIP: req.connection?.remoteAddress,
+  });
+});
+
 // Apply rate limiting to all API routes
 app.use('/api/', apiLimiter);