Setup infra for reverse proxy (#831)

2026-02-10 20:22:51 +02:00 · 2026-02-10 20:22:51 +02:00 · 2b4cb0aeb2
commit 2b4cb0aeb2
parent f8ad3724af
6 changed files with 36 additions and 0 deletions
--- a/1
+++ b/1
@ -122,6 +122,7 @@ ENV NODE_ENV=production \
    TUDUDI_SESSION_SECRET="" \
    TUDUDI_USER_EMAIL="" \
    TUDUDI_USER_PASSWORD="" \
+    TUDUDI_TRUST_PROXY=false \
    DISABLE_TELEGRAM=false \
    DISABLE_SCHEDULER=false \
    TUDUDI_UPLOAD_PATH="/app/backend/uploads" \
--- a/README.md
+++ b/README.md
@ -79,6 +79,24 @@ docker run \

 Navigate to [http://localhost:3002](http://localhost:3002) and login with your credentials.

+### Reverse Proxy Setup
+
+When running behind a reverse proxy (Caddy, Nginx, Traefik, etc.), set `TUDUDI_TRUST_PROXY` so that Express correctly reads client IPs from `X-Forwarded-For` headers. Without this, `express-rate-limit` will log a validation error.
+
+```bash
+docker run \
+  -e TUDUDI_TRUST_PROXY=true \
+  -e TUDUDI_ALLOWED_ORIGINS=https://your-domain.com \
+  ...
+```
+
+| Value | Meaning |
+|-------|---------|
+| `true` | Trust all proxies (simplest option for single-proxy setups) |
+| `1` | Trust the first hop only |
+| `loopback` | Trust loopback addresses (127.0.0.1/::1) |
+| `172.16.0.0/12` | Trust a specific subnet |
+
 ### 📚 Documentation

 For detailed setup instructions, configuration options, and getting started guides, visit:
--- a/backend/.env.example
+++ b/backend/.env.example
@ -26,3 +26,5 @@ REGISTRATION_TOKEN_EXPIRY_HOURS=24

 DISABLE_SCHEDULER=false
 DISABLE_TELEGRAM=false
+
+# TUDUDI_TRUST_PROXY=true
--- a/backend/app.js
+++ b/backend/app.js
@ -19,6 +19,10 @@ const API_BASE_PATH = `/api/${API_VERSION}`;

 const app = express();

+if (config.trustProxy !== false) {
+    app.set('trust proxy', config.trustProxy);
+}
+
 // Session store
 const sessionStore = new SequelizeStore({
    db: sequelize,
--- a/backend/config/config.js
+++ b/backend/config/config.js
@ -108,6 +108,16 @@ const config = {
        enabled: process.env.SWAGGER_ENABLED !== 'false',
    },

+    trustProxy: (() => {
+        const val = process.env.TUDUDI_TRUST_PROXY;
+        if (val === undefined || val === '') return false;
+        if (val === 'true') return true;
+        if (val === 'false') return false;
+        const num = Number(val);
+        if (!isNaN(num) && val.trim() !== '') return num;
+        return val;
+    })(),
+
    // Rate limiting configuration
    rateLimiting: {
        // Disable rate limiting in test environment
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -7,6 +7,7 @@ services:
      - TUDUDI_USER_PASSWORD=your-secure-password
      - TUDUDI_SESSION_SECRET=changeme-please-use-openssl
      - TUDUDI_ALLOWED_ORIGINS=http://localhost:3002
+      - TUDUDI_TRUST_PROXY=false
      - TUDUDI_UPLOAD_PATH=/app/backend/uploads
      # Runtime UID/GID configuration - set these to match your host user/group
      - PUID=1001