fix(proxy): configure trust proxy via TRUST_PROXY env var
Without trust proxy, the rate limiter uses the reverse proxy IP instead of the real client IP, making all requests appear to come from one IP. Set TRUST_PROXY=1 in production when behind a single nginx/Apache hop.
This commit is contained in:
Vendored
+4
@@ -34,3 +34,7 @@ COUCHDB_CREDENTIAL="base64-encoded-credentials"
|
|||||||
SKYDIVERID_API_URL="https://api.example.com"
|
SKYDIVERID_API_URL="https://api.example.com"
|
||||||
SKYDIVERID_API_TOKEN="your-api-token"
|
SKYDIVERID_API_TOKEN="your-api-token"
|
||||||
AUTHORIZATION_PREFIX="Api-Key"
|
AUTHORIZATION_PREFIX="Api-Key"
|
||||||
|
|
||||||
|
# Reverse proxy hops in front of the API (e.g. 1 for nginx). Omit in dev.
|
||||||
|
# Required for rate limiting to use the real client IP behind a proxy.
|
||||||
|
# TRUST_PROXY=1
|
||||||
|
|||||||
@@ -10,6 +10,9 @@ const config = require('./config'),
|
|||||||
|
|
||||||
function createApp() {
|
function createApp() {
|
||||||
const app = express();
|
const app = express();
|
||||||
|
if (process.env.TRUST_PROXY) {
|
||||||
|
app.set('trust proxy', parseInt(process.env.TRUST_PROXY, 10) || process.env.TRUST_PROXY);
|
||||||
|
}
|
||||||
app.use(helmet({ contentSecurityPolicy: false }));
|
app.use(helmet({ contentSecurityPolicy: false }));
|
||||||
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
const allowedOrigins = process.env.ALLOWED_ORIGINS
|
||||||
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
? process.env.ALLOWED_ORIGINS.split(',').map(o => o.trim())
|
||||||
|
|||||||
Reference in New Issue
Block a user