Skip to content

Add trust_proxy config option for deployments behind a reverse proxy #413

Description

@ppastur

Problem

When Raneto is deployed behind a reverse proxy (e.g. nginx, NPM), express-rate-limit
emits the following warning on every startup:

express-rate-limit: Looks like you're behind a reverse proxy but
trust proxy is not set...

This happens because the Express app is created without app.set('trust proxy', ...),
so the rate limiter sees the proxy's IP rather than real client IPs.

Expected behaviour

Raneto should provide a config option (e.g. trust_proxy) that, when set, calls
app.set('trust proxy', value) on the Express instance before the rate-limiter middleware.

Proposed fix

In app/index.js, after const app = express();, add:

if (config.trust_proxy !== undefined) app.set('trust proxy', config.trust_proxy);

Document the option in config/config.js. Set trust_proxy: 1 for a single reverse proxy.

Environment

  • Raneto: 0.18.1 (docker)
  • Deployed behind: nginx / Nginx Proxy Manager
  • express-rate-limit version: (see package.json)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions