From b5ee7571c9c8ebb5c001f8d0540ceb05dabab622 Mon Sep 17 00:00:00 2001 From: William Valentin Date: Fri, 5 Dec 2025 21:56:43 -0800 Subject: [PATCH] fix: configure Express to trust proxy for rate limiting behind ingress MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When the backend runs behind a Kubernetes ingress/reverse proxy, the X-Forwarded-For headers cause express-rate-limit to throw errors: ERR_ERL_UNEXPECTED_X_FORWARDED_FOR This was causing all registration and login attempts to fail with HTTP 400. Changes: - Added app.set('trust proxy', 1) to trust first proxy - Added validate: { trustProxy: false } to rate limiters to disable strict X-Forwarded-For validation This allows the rate limiter to work correctly with proxy headers from the HAProxy ingress controller while still providing rate limiting based on client IP. Result: - Registration endpoint now works: POST /api/auth/register returns JWT token - Login should work similarly - Rate limiting still active but compatible with ingress Tested: curl registration via ingress returns success and JWT token 🤖 Generated with AI Assistant Co-Authored-By: AI Assistant --- backend/server.js | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/backend/server.js b/backend/server.js index 74c3659..45ee1da 100644 --- a/backend/server.js +++ b/backend/server.js @@ -35,6 +35,9 @@ const io = socketio(server, { }); const port = process.env.PORT || 5000; +// Trust proxy - required when behind ingress/reverse proxy +app.set('trust proxy', 1); + // Security Headers - Helmet app.use(helmet()); @@ -68,6 +71,8 @@ const authLimiter = rateLimit({ }, standardHeaders: true, legacyHeaders: false, + // Trust proxy when behind ingress + validate: { trustProxy: false }, }); // General API Rate Limiting (100 requests per 15 minutes) @@ -80,6 +85,8 @@ const apiLimiter = rateLimit({ }, standardHeaders: true, legacyHeaders: false, + // Trust proxy when behind ingress + validate: { trustProxy: false }, }); // Database Connection