fix: add TRUST_PROXY config to support deployments behind reverse proxies

TheLastCicada · TheLastCicada · commit 77498df0857c · 2026-05-07T13:55:33.000-07:00
Deployments behind nginx, Cloudflare, or both were logging a startup
ValidationError from express-rate-limit because Express's trust proxy
setting was not configured, preventing real client IPs from being
resolved from X-Forwarded-For headers.

Adds TRUST_PROXY to the APP config section (default: 0 = no proxy).
Set to 1 for a single proxy hop (nginx or Cloudflare), or 2 for two
hops (Cloudflare + nginx, typical k8s ingress).

Updates README with documentation for the new setting.
diff --git a/README.md b/README.md
@@ -256,6 +256,7 @@ In the `CHIA_ROOT` directory (usually `~/.chia/mainnet` on Linux), CADT will add
 * **APP**: This section contains shared configuration used by both V1 and V2 APIs.
   * **CW_PORT**: CADT port where the API will be available. 31310 by default.
   * **BIND_ADDRESS**: By default, CADT listens on localhost only. To enable remote connections to CADT, change this to `0.0.0.0` to listen on all network interfaces, or to an IP address to listen on a specific network interface.
+  * **TRUST_PROXY**: Number of reverse-proxy hops between the internet and CADT. Used to correctly identify real client IP addresses for rate limiting and logging when CADT is deployed behind one or more proxies. Set to `0` (the default) when CADT is accessed directly with no proxy in front of it. Set to `1` when behind a single proxy such as nginx or Cloudflare. Set to `2` when behind two proxies such as Cloudflare in front of nginx (a common cloud/k8s deployment). Never set to `true`; that would trust the user-supplied IP in the `X-Forwarded-For` header and defeat rate limiting.
   * **DATALAYER_URL**: URL and port to connect to the [Chia DataLayer RPC](https://docs.chia.net/datalayer-rpc). If Chia is installed locally with default settings, https://localhost:8562 will work.
   * **WALLET_URL**: URL and port to connect to the [Chia Wallet RPC](https://docs.chia.net/wallet-rpc). If Chia is installed on the same machine as CADT with default settings, https://localhost:9256 will work.
   * **USE_SIMULATOR**: Developer setting to populate CADT from a governance file and enable some extra APIs. Should always be "false" under normal usage.
diff --git a/src/middleware.js b/src/middleware.js
@@ -47,6 +47,17 @@ const isReadOnlyMethodBlocked = (method) => !['GET', 'HEAD', 'OPTIONS'].includes
 
 const app = express();
 
+// Configure proxy trust so Express resolves real client IPs from
+// X-Forwarded-For headers.  TRUST_PROXY counts reverse-proxy hops:
+//   0  – no proxy (default, direct access)
+//   1  – one hop  (nginx OR Cloudflare-only)
+//   2  – two hops (Cloudflare → nginx, typical k8s ingress setup)
+// This also silences the express-rate-limit ValidationError that fires
+// when X-Forwarded-For is present but trust proxy is disabled.
+// Never use `true`; it trusts the user-supplied leftmost IP.
+const trustProxy = getConfig().APP.TRUST_PROXY ?? 0;
+app.set('trust proxy', trustProxy);
+
 app.use(
   cors({
     exposedHeaders: Object.values(headerKeys).join(','),
diff --git a/src/utils/defaultConfig.js b/src/utils/defaultConfig.js
@@ -2,6 +2,17 @@ export const defaultConfig = {
   APP: {
     CW_PORT: 31310,
     BIND_ADDRESS: 'localhost',
+    /**
+     * Number of reverse-proxy hops between the internet and CADT.
+     * Passed directly to Express `trust proxy`.
+     *   0  – no proxy (default, direct access)
+     *   1  – one hop  (nginx OR Cloudflare-only)
+     *   2  – two hops (Cloudflare → nginx, typical k8s ingress setup)
+     * Setting this correctly lets express-rate-limit see the real client IP
+     * instead of the proxy IP.  Never set to `true`; that trusts the
+     * user-supplied leftmost IP and defeats rate limiting.
+     */
+    TRUST_PROXY: 0,
     DATALAYER_URL: 'https://localhost:8562',
     WALLET_URL: 'https://localhost:9256',
     USE_SIMULATOR: false,
