Simplify rate limiting: always trust proxy headers

Since the registry is always deployed behind NGINX ingress with
use-forwarded-headers=true, there's no need for a TrustProxy config option.
The NGINX ingress is trusted infrastructure that correctly sets
X-Forwarded-For headers.

Removed:
- TrustProxy config option and environment variable
- Tests for TrustProxy enabled/disabled behavior

The implementation now always checks X-Forwarded-For/X-Real-IP headers
first, then falls back to RemoteAddr. This matches the deployment setup.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: tadasant

.env.example

@@ -46,7 +46,3 @@ MCP_REGISTRY_RATE_LIMIT_ENABLED=true
 MCP_REGISTRY_RATE_LIMIT_REQUESTS_PER_MINUTE=60
 # Maximum requests per hour per IP address (default: 1000)
 MCP_REGISTRY_RATE_LIMIT_REQUESTS_PER_HOUR=1000
-# Trust X-Forwarded-For and X-Real-IP headers from reverse proxy (default: false)
-# Only enable this when running behind a trusted reverse proxy (nginx, cloud load balancer)
-# WARNING: Setting this to true without a trusted proxy allows IP spoofing
-MCP_REGISTRY_RATE_LIMIT_TRUST_PROXY=false

internal/api/ratelimit/ratelimit.go

@@ -23,10 +23,6 @@ type Config struct {
 	CleanupInterval time.Duration
 	// SkipPaths are paths that should not be rate limited
 	SkipPaths []string
-	// TrustProxy determines if X-Forwarded-For and X-Real-IP headers should be trusted.
-	// Set to true only when running behind a trusted reverse proxy (e.g., nginx, cloud load balancer).
-	// When false, only the direct connection IP (RemoteAddr) is used, preventing IP spoofing.
-	TrustProxy bool
 	// MaxVisitors is the maximum number of visitor entries to track (memory protection).
 	// When exceeded, oldest entries are evicted. Default: 100000.
 	MaxVisitors int
@@ -39,7 +35,6 @@ func DefaultConfig() Config {
 		RequestsPerHour:   1000,
 		CleanupInterval:   10 * time.Minute,
 		SkipPaths:         []string{"/health", "/ping", "/metrics"},
-		TrustProxy:        false, // Secure default: don't trust proxy headers
 		MaxVisitors:       100000,
 	}
 }
@@ -198,32 +193,29 @@ func (rl *RateLimiter) shouldSkip(path string) bool {
 }
 
 // getClientIP extracts the client IP from the request.
-// When TrustProxy is true, it considers X-Forwarded-For and X-Real-IP headers.
-// When TrustProxy is false, only RemoteAddr is used to prevent IP spoofing.
-func (rl *RateLimiter) getClientIP(r *http.Request) string {
-	// Only trust proxy headers if explicitly configured
-	if rl.config.TrustProxy {
-		// Check X-Forwarded-For header (can contain multiple IPs)
-		if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
-			// Take the first IP (original client)
-			if idx := strings.Index(xff, ","); idx != -1 {
-				xff = xff[:idx]
-			}
-			xff = strings.TrimSpace(xff)
-			if ip := validateAndNormalizeIP(xff); ip != "" {
-				return ip
-			}
+// It considers X-Forwarded-For and X-Real-IP headers for reverse proxy scenarios,
+// as the registry is deployed behind NGINX ingress with use-forwarded-headers enabled.
+func getClientIP(r *http.Request) string {
+	// Check X-Forwarded-For header (can contain multiple IPs)
+	if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+		// Take the first IP (original client)
+		if idx := strings.Index(xff, ","); idx != -1 {
+			xff = xff[:idx]
+		}
+		xff = strings.TrimSpace(xff)
+		if ip := validateAndNormalizeIP(xff); ip != "" {
+			return ip
 		}
+	}
 
-		// Check X-Real-IP header
-		if xri := r.Header.Get("X-Real-IP"); xri != "" {
-			if ip := validateAndNormalizeIP(strings.TrimSpace(xri)); ip != "" {
-				return ip
-			}
+	// Check X-Real-IP header
+	if xri := r.Header.Get("X-Real-IP"); xri != "" {
+		if ip := validateAndNormalizeIP(strings.TrimSpace(xri)); ip != "" {
+			return ip
 		}
 	}
 
-	// Fall back to RemoteAddr (always used when TrustProxy is false)
+	// Fall back to RemoteAddr
 	ip, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {
 		// RemoteAddr might not have a port
@@ -265,7 +257,7 @@ func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
 			return
 		}
 
-		ip := rl.getClientIP(r)
+		ip := getClientIP(r)
 
 		if !rl.Allow(ip) {
 			w.Header().Set("Content-Type", "application/problem+json")

internal/api/ratelimit/ratelimit_test.go

@@ -21,7 +21,6 @@ func TestRateLimiter_Allow(t *testing.T) {
 		RequestsPerHour:   10,
 		CleanupInterval:   time.Hour, // Long interval to avoid cleanup during test
 		SkipPaths:         []string{"/health"},
-		TrustProxy:        false,
 		MaxVisitors:       1000,
 	}
 	rl := ratelimit.New(cfg)
@@ -54,7 +53,6 @@ func TestRateLimiter_HourlyLimit(t *testing.T) {
 		RequestsPerHour:   5,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{"/health"},
-		TrustProxy:        false,
 		MaxVisitors:       1000,
 	}
 	rl := ratelimit.New(cfg)
@@ -81,7 +79,6 @@ func TestRateLimiter_Middleware(t *testing.T) {
 		RequestsPerHour:   100,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{"/health", "/ping"},
-		TrustProxy:        false,
 		MaxVisitors:       1000,
 	}
 	rl := ratelimit.New(cfg)
@@ -165,13 +162,12 @@ func TestRateLimiter_Middleware(t *testing.T) {
 	})
 }
 
-func TestGetClientIP_TrustProxyEnabled(t *testing.T) {
+func TestGetClientIP_WithHeaders(t *testing.T) {
 	cfg := ratelimit.Config{
 		RequestsPerMinute: 1,
 		RequestsPerHour:   100,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{},
-		TrustProxy:        true, // Trust proxy headers
 		MaxVisitors:       1000,
 	}
 	rl := ratelimit.New(cfg)
@@ -183,7 +179,7 @@ func TestGetClientIP_TrustProxyEnabled(t *testing.T) {
 
 	middleware := rl.Middleware(handler)
 
-	t.Run("uses X-Forwarded-For header when TrustProxy is true", func(t *testing.T) {
+	t.Run("uses X-Forwarded-For header", func(t *testing.T) {
 		// First request from this forwarded IP
 		req := httptest.NewRequest(http.MethodGet, "/test", nil)
 		req.RemoteAddr = testLocalAddr
@@ -230,7 +226,7 @@ func TestGetClientIP_TrustProxyEnabled(t *testing.T) {
 		}
 	})
 
-	t.Run("uses X-Real-IP header when TrustProxy is true", func(t *testing.T) {
+	t.Run("uses X-Real-IP header", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/test", nil)
 		req.RemoteAddr = testLocalAddr
 		req.Header.Set("X-Real-IP", "203.0.113.3")
@@ -252,75 +248,8 @@ func TestGetClientIP_TrustProxyEnabled(t *testing.T) {
 			t.Errorf("second request should be blocked, got status %d", w2.Code)
 		}
 	})
-}
-
-func TestGetClientIP_TrustProxyDisabled(t *testing.T) {
-	cfg := ratelimit.Config{
-		RequestsPerMinute: 1,
-		RequestsPerHour:   100,
-		CleanupInterval:   time.Hour,
-		SkipPaths:         []string{},
-		TrustProxy:        false, // Don't trust proxy headers (secure default)
-		MaxVisitors:       1000,
-	}
-	rl := ratelimit.New(cfg)
-	defer rl.Stop()
 
-	handler := http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	})
-
-	middleware := rl.Middleware(handler)
-
-	t.Run("ignores X-Forwarded-For when TrustProxy is false", func(t *testing.T) {
-		// First request - uses RemoteAddr despite X-Forwarded-For
-		req := httptest.NewRequest(http.MethodGet, "/test", nil)
-		req.RemoteAddr = "10.0.0.10:12345"
-		req.Header.Set("X-Forwarded-For", "203.0.113.1")
-		w := httptest.NewRecorder()
-		middleware.ServeHTTP(w, req)
-
-		if w.Code != http.StatusOK {
-			t.Errorf("first request should be allowed, got status %d", w.Code)
-		}
-
-		// Second request from same RemoteAddr (different X-Forwarded-For) should be blocked
-		req2 := httptest.NewRequest(http.MethodGet, "/test", nil)
-		req2.RemoteAddr = "10.0.0.10:12346"
-		req2.Header.Set("X-Forwarded-For", "203.0.113.99") // Different spoofed IP
-		w2 := httptest.NewRecorder()
-		middleware.ServeHTTP(w2, req2)
-
-		if w2.Code != http.StatusTooManyRequests {
-			t.Errorf("second request should be blocked (spoofing prevented), got status %d", w2.Code)
-		}
-	})
-
-	t.Run("ignores X-Real-IP when TrustProxy is false", func(t *testing.T) {
-		// First request
-		req := httptest.NewRequest(http.MethodGet, "/test", nil)
-		req.RemoteAddr = "10.0.0.11:12345"
-		req.Header.Set("X-Real-IP", "203.0.113.5")
-		w := httptest.NewRecorder()
-		middleware.ServeHTTP(w, req)
-
-		if w.Code != http.StatusOK {
-			t.Errorf("first request should be allowed, got status %d", w.Code)
-		}
-
-		// Second request from same RemoteAddr should be blocked
-		req2 := httptest.NewRequest(http.MethodGet, "/test", nil)
-		req2.RemoteAddr = "10.0.0.11:12346"
-		req2.Header.Set("X-Real-IP", "203.0.113.99") // Different spoofed IP
-		w2 := httptest.NewRecorder()
-		middleware.ServeHTTP(w2, req2)
-
-		if w2.Code != http.StatusTooManyRequests {
-			t.Errorf("second request should be blocked, got status %d", w2.Code)
-		}
-	})
-
-	t.Run("uses RemoteAddr correctly", func(t *testing.T) {
+	t.Run("falls back to RemoteAddr when no headers", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/test", nil)
 		req.RemoteAddr = "203.0.113.4:12345"
 		w := httptest.NewRecorder()
@@ -348,7 +277,6 @@ func TestGetClientIP_InvalidIPs(t *testing.T) {
 		RequestsPerHour:   1000,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{},
-		TrustProxy:        true,
 		MaxVisitors:       1000,
 	}
 	rl := ratelimit.New(cfg)
@@ -404,7 +332,6 @@ func TestRateLimiter_MaxVisitors(t *testing.T) {
 		RequestsPerHour:   1000,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{},
-		TrustProxy:        false,
 		MaxVisitors:       3, // Very low limit for testing
 	}
 	rl := ratelimit.New(cfg)
@@ -431,7 +358,6 @@ func TestRateLimiter_Concurrency(_ *testing.T) {
 		RequestsPerHour:   10000,
 		CleanupInterval:   time.Hour,
 		SkipPaths:         []string{},
-		TrustProxy:        false,
 		MaxVisitors:       100,
 	}
 	rl := ratelimit.New(cfg)
@@ -471,10 +397,6 @@ func TestDefaultConfig(t *testing.T) {
 		t.Errorf("expected CleanupInterval to be 10 minutes, got %v", cfg.CleanupInterval)
 	}
 
-	if cfg.TrustProxy != false {
-		t.Error("expected TrustProxy to default to false for security")
-	}
-
 	if cfg.MaxVisitors != 100000 {
 		t.Errorf("expected MaxVisitors to be 100000, got %d", cfg.MaxVisitors)
 	}

internal/api/server.go

@@ -80,7 +80,6 @@ func NewServer(cfg *config.Config, registryService service.RegistryService, metr
 			RequestsPerHour:   cfg.RateLimitRequestsPerHour,
 			CleanupInterval:   10 * time.Minute,
 			SkipPaths:         []string{"/health", "/ping", "/metrics"},
-			TrustProxy:        cfg.RateLimitTrustProxy,
 			MaxVisitors:       100000,
 		}
 		rateLimiter = ratelimit.New(rateLimitConfig)

internal/config/config.go

@@ -29,7 +29,6 @@ type Config struct {
 	RateLimitEnabled           bool `env:"RATE_LIMIT_ENABLED" envDefault:"true"`
 	RateLimitRequestsPerMinute int  `env:"RATE_LIMIT_REQUESTS_PER_MINUTE" envDefault:"60"`
 	RateLimitRequestsPerHour   int  `env:"RATE_LIMIT_REQUESTS_PER_HOUR" envDefault:"1000"`
-	RateLimitTrustProxy        bool `env:"RATE_LIMIT_TRUST_PROXY" envDefault:"false"`
 }
 
 // NewConfig creates a new configuration with default values