Add trusted_proxies env var to control nginx x-forwarded-for behaviour (#1982)

2026-05-18 05:18:05 -04:00 · 2026-05-01 14:15:05 +02:00
parent 04968032fd
commit c9eaf2d807
11 changed files with 379 additions and 20 deletions
--- a/.env.example
+++ b/.env.example
@@ -119,3 +119,13 @@ MAX_UPLOAD_SIZE_MB=100
 # Requests from non-allowlisted IPs are silently routed to the client app and will
 # result in a 404 error.
 ADMIN_IP_ALLOWLIST=
+
+# Trusted upstream proxies that AliasVault's reverse proxy will accept the
+# X-Forwarded-For header from when determining the real client IP. Options:
+# - Empty = trust all RFC1918 ranges (10/8, 172.16/12, 192.168/16).
+# - A comma-separated list of CIDRs/IPs (e.g. "10.0.1.5,192.168.1.0/24") to
+#   trust only those upstream proxies. Recommended when running behind a
+#   specific reverse proxy (HAProxy, Traefik, Cloudflare, etc.) so X-Forwarded-For
+#   from any other source is ignored.
+# - "none" = trust no upstream proxies; logs always show the direct peer IP.
+TRUSTED_PROXIES=