From 71c1ec1416e20f1b6475654b2db5fd1546e71878 Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 12:45:56 -0800 Subject: [PATCH 1/6] Create empty commit to test the deployed version From 03e2cceae9a2b16209608c31fa139722fe120849 Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 12:57:45 -0800 Subject: [PATCH 2/6] Enable Express trust proxy for client IP forwarding Allows rate limiting to work per actual client IP instead of ingress pod IP when running behind NGINX Ingress. --- backend/routes.ts | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/backend/routes.ts b/backend/routes.ts index 57b62e0b..2d44d8f8 100644 --- a/backend/routes.ts +++ b/backend/routes.ts @@ -12,6 +12,10 @@ export const app = express(); app.set("port", process.env.PORT || 5000); app.set("json spaces", 2); +// Trust proxy to get real client IPs behind NGINX Ingress +// This allows rate limiting to work per actual client IP instead of per ingress pod IP +app.set("trust proxy", true); + app.use(logger("combined")); // Global rate limiting for all requests (including static files) From e5333bb424279607619d7b48869d79f8d38641d8 Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 14:54:21 -0800 Subject: [PATCH 3/6] test `trust proxy' == 1 --- backend/routes.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/routes.ts b/backend/routes.ts index 2d44d8f8..fee0a3d3 100644 --- a/backend/routes.ts +++ b/backend/routes.ts @@ -14,7 +14,7 @@ app.set("json spaces", 2); // Trust proxy to get real client IPs behind NGINX Ingress // This allows rate limiting to work per actual client IP instead of per ingress pod IP -app.set("trust proxy", true); +app.set("trust proxy", 1); app.use(logger("combined")); From 4f4a14fb83e9edc559a9afe8e6133afbc000af6b Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 15:13:51 -0800 Subject: [PATCH 4/6] app.set("trust proxy", "loopback,linklocal,private"); --- backend/routes.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/routes.ts b/backend/routes.ts index fee0a3d3..6940aed6 100644 --- a/backend/routes.ts +++ b/backend/routes.ts @@ -14,7 +14,7 @@ app.set("json spaces", 2); // Trust proxy to get real client IPs behind NGINX Ingress // This allows rate limiting to work per actual client IP instead of per ingress pod IP -app.set("trust proxy", 1); +app.set("trust proxy", "loopback,linklocal,private"); app.use(logger("combined")); From 16ed10cc80fc226f845e6a40a025d9ef16da6966 Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 15:37:34 -0800 Subject: [PATCH 5/6] app.set("trust proxy", "loopback,linklocal,uniquelocal"); --- backend/routes.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/routes.ts b/backend/routes.ts index 6940aed6..0de2e51c 100644 --- a/backend/routes.ts +++ b/backend/routes.ts @@ -14,7 +14,7 @@ app.set("json spaces", 2); // Trust proxy to get real client IPs behind NGINX Ingress // This allows rate limiting to work per actual client IP instead of per ingress pod IP -app.set("trust proxy", "loopback,linklocal,private"); +app.set("trust proxy", "loopback,linklocal,uniquelocal"); app.use(logger("combined")); From daac30f5ec32454aabb3b66a6e11a8a70bdc1948 Mon Sep 17 00:00:00 2001 From: Marcelo Salloum Date: Tue, 20 Jan 2026 16:03:26 -0800 Subject: [PATCH 6/6] Rely on the env for TRUST_PROXY --- backend/routes.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/backend/routes.ts b/backend/routes.ts index 0de2e51c..ecca7e4b 100644 --- a/backend/routes.ts +++ b/backend/routes.ts @@ -12,9 +12,11 @@ export const app = express(); app.set("port", process.env.PORT || 5000); app.set("json spaces", 2); -// Trust proxy to get real client IPs behind NGINX Ingress -// This allows rate limiting to work per actual client IP instead of per ingress pod IP -app.set("trust proxy", "loopback,linklocal,uniquelocal"); +// Trust proxy to get real client IPs behind proxies/load balancers. +const defaultTrustProxy = "loopback,linklocal,uniquelocal"; +const trustProxy = process.env.TRUST_PROXY || defaultTrustProxy; +console.log(`Setting trust proxy to: ${trustProxy}`); +app.set("trust proxy", trustProxy); app.use(logger("combined"));