Skip to content

Fix: Enable Express trust proxy for client IP forwarding #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
marcelosalloum merged 6 commits into from
Jan 21, 2026
Merged

Fix: Enable Express trust proxy for client IP forwarding #348

marcelosalloum merged 6 commits into from
Jan 21, 2026

Conversation

@marcelosalloum
Copy link
Contributor

@marcelosalloum marcelosalloum commented Jan 20, 2026
edited
Loading

What

Allows rate limiting to work per actual client IP instead of ingress pod IP when running behind a reverse proxy such as NGINX Ingress, or Cloudflare.

"trust proxy" relies on the TRUST_PROXY env and defaults to "loopback,linklocal,uniquelocal"

Why

All IPs were being considered the same IP for the global rate-limiter, which was triggering 429s somewhat often.

@marcelosalloum marcelosalloum self-assigned this Jan 20, 2026
@stellar-jenkins
Copy link

stellar-jenkins commented Jan 20, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@marcelosalloum
Enable Express trust proxy for client IP forwarding
03e2cce 
Allows rate limiting to work per actual client IP instead of ingress pod IP when running behind NGINX Ingress.
@stellar-jenkins
Copy link

stellar-jenkins commented Jan 20, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@marcelosalloum marcelosalloum changed the title [DRAFT] Fix: Enable Express trust proxy for client IP forwarding Fix: Enable Express trust proxy for client IP forwarding Jan 20, 2026
@marcelosalloum marcelosalloum marked this pull request as ready for review January 20, 2026 22:25
Copilot AI review requested due to automatic review settings January 20, 2026 22:25
@marcelosalloum marcelosalloum requested a review from a team January 20, 2026 22:26
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enables Express's trust proxy setting to allow the application to correctly identify client IPs when running behind NGINX Ingress. This is essential for the rate limiting functionality to work correctly per actual client IP rather than seeing all requests as coming from the ingress pod IP.

Changes:

  • Added app.set("trust proxy", true) configuration to enable proxy IP forwarding in Express

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

backend/routes.ts Outdated

// Trust proxy to get real client IPs behind NGINX Ingress
// This allows rate limiting to work per actual client IP instead of per ingress pod IP
app.set("trust proxy", true);
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting trust proxy to true trusts all proxies, which can be a security risk if the application is accessible without going through the expected proxy. Consider using a more specific value like 1 (trust only the first hop) or "loopback, linklocal, uniquelocal" (trust only private IP ranges), or make it configurable via an environment variable. This prevents potential IP spoofing attacks if the application is accidentally exposed directly to the internet.

Suggested change
app.set("trust proxy", true);
const trustProxySetting = process.env.TRUST_PROXY ?? "loopback, linklocal, uniquelocal";
app.set("trust proxy", trustProxySetting);

Copilot uses AI. Check for mistakes.
@github-project-automation github-project-automation bot moved this to Backlog (Not Ready) in DevX Jan 20, 2026
@marcelosalloum marcelosalloum moved this from Backlog (Not Ready) to In Progress in DevX Jan 20, 2026
@marcelosalloum marcelosalloum moved this from In Progress to Needs Review in DevX Jan 20, 2026
@stellar-jenkins
Copy link

stellar-jenkins commented Jan 20, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

stellar-jenkins commented Jan 20, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

stellar-jenkins commented Jan 20, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@stellar-jenkins
Copy link

stellar-jenkins commented Jan 21, 2026

Preview is available here:
https://dashboard-pr348.dashboard-previews.kube001.services.stellar-ops.com/

@marcelosalloum marcelosalloum merged commit 93f06e5 into master Jan 21, 2026
5 of 6 checks passed
@marcelosalloum marcelosalloum deleted the fix/global-429 branch January 21, 2026 17:56
@github-project-automation github-project-automation bot moved this from Needs Review to Done in DevX Jan 21, 2026
@marcelosalloum marcelosalloum moved this from Done to In Progress in DevX Jan 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jeesunikim jeesunikim jeesunikim approved these changes

Assignees

@marcelosalloum marcelosalloum

Labels

None yet

Projects

DevX
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcelosalloum @stellar-jenkins @jeesunikim