feat: add TRUST_PROXY configuration for client IP detection

Author: CasLubbers

src/app.ts

@@ -30,6 +30,7 @@ import {
   GIT_PASSWORD,
   GIT_PUSH_RETRIES,
   GIT_USER,
+  TRUST_PROXY,
 } from 'src/validators'
 import swaggerUi from 'swagger-ui-express'
 import giteaCheckLatest from './gitea/connect'
@@ -41,6 +42,7 @@ const env = cleanEnv({
   GIT_PASSWORD,
   EXPRESS_PAYLOAD_LIMIT,
   GIT_PUSH_RETRIES,
+  TRUST_PROXY,
 })
 
 const debug = Debug('otomi:app')
@@ -153,6 +155,14 @@ export async function initApp(inOtomiStack?: OtomiStack) {
   // Only create lightship in production (not in tests)
   const lightship = env.isTest ? null : createLightship()
   const app = express()
+
+  // Configure trust proxy for rate limiting behind Kubernetes Ingress
+  // See: https://github.com/express-rate-limit/express-rate-limit/wiki/Troubleshooting-Proxy-Issues
+  // Set to number of proxies between user and server (typically 1 for Kubernetes Ingress)
+  if (!env.isTest && env.TRUST_PROXY > 0) {
+    app.set('trust proxy', env.TRUST_PROXY)
+  }
+
   const apiRoutesPath = path.resolve(__dirname, 'api')
   await loadSpec()
   const authz = new Authz(otomiSpec.spec)

src/validators.ts

@@ -166,6 +166,11 @@ export const RATE_LIMIT_AUTH_MAX_ATTEMPTS = num({
   desc: 'Maximum number of failed authentication attempts per IP per time window',
   default: 500,
 })
+export const TRUST_PROXY = num({
+  desc: 'Number of reverse proxies to trust for client IP detection (0 to disable, 1 for Kubernetes Ingress, 2 for LB + Ingress)',
+  default: 1,
+  devDefault: 0,
+})
 const { env } = process
 export function cleanEnv<T>(validators: { [K in keyof T]: ValidatorSpec<T[K]> }, options: CleanOptions<T> = {}) {
   if (env.NODE_ENV === 'test') {