fix(backend): enable trust proxy for correct client IP detection
- Added app.set('trust proxy', 1) to allow Express to read proxy headers
- Enables proper client IP detection behind nginx reverse proxy
- Added /api/debug/ip endpoint for IP forwarding verification
Without trust proxy, Express ignores X-Forwarded-For and X-Real-IP headers,
causing all requests to appear from nginx container IP (172.x.x.x).
This fix ensures:
- Activity logs record correct client IPs
- Rate limiting works per actual client IP
- Security features function properly
This commit is contained in:
Radosław Gierwiało
@@ -8,6 +8,10 @@ const { apiLimiter } = require('./middleware/rateLimiter');
|
|||||||
|
|
||||||
const app = express();
|
const app = express();
|
||||||
|
|
||||||
|
// Trust proxy - Required for correct IP detection behind nginx/load balancer
|
||||||
|
// This allows Express to read X-Forwarded-For and X-Real-IP headers
|
||||||
|
app.set('trust proxy', 1);
|
||||||
|
|
||||||
// Security Headers (helmet)
|
// Security Headers (helmet)
|
||||||
app.use(helmet({
|
app.use(helmet({
|
||||||
contentSecurityPolicy: {
|
contentSecurityPolicy: {
|
||||||
@@ -110,6 +114,20 @@ app.get('/api/health', (req, res) => {
|
|||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
// IP check endpoint (for debugging - remove in production)
|
||||||
|
app.get('/api/debug/ip', (req, res) => {
|
||||||
|
const { getClientIP } = require('./utils/request');
|
||||||
|
res.json({
|
||||||
|
clientIP: getClientIP(req),
|
||||||
|
headers: {
|
||||||
|
'x-forwarded-for': req.headers['x-forwarded-for'],
|
||||||
|
'x-real-ip': req.headers['x-real-ip'],
|
||||||
|
},
|
||||||
|
expressIP: req.ip,
|
||||||
|
socketIP: req.connection?.remoteAddress,
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
// Apply rate limiting to all API routes
|
// Apply rate limiting to all API routes
|
||||||
app.use('/api/', apiLimiter);
|
app.use('/api/', apiLimiter);
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user