fix: only trust forwarded IP header from configured trusted proxies

kanishka0411 · kanishka0411 · commit 5545654d8202 · 2026-04-19T12:01:59.000+05:30
diff --git a/CONFIGURATION.md b/CONFIGURATION.md
@@ -126,6 +126,7 @@ The settings below are listed in alphabetical order by name. Please keep this ta
 | mirroring.static[].skipAdmissionCheck       | Disable the admission fee check for events coming from this mirror. |
 | network.maxPayloadSize                      | Maximum number of bytes accepted per WebSocket frame |
 | network.remoteIpHeader                      | HTTP header from proxy containing IP address from client. |
+| network.trustedProxies                      | Optional allow-list of proxy IPs allowed to set `network.remoteIpHeader`; otherwise socket remote IP is used. |
 | nip05.domainBlacklist                       | List of domains blocked from NIP-05 verification. Authors with NIP-05 at these domains will be rejected. |
 | nip05.domainWhitelist                       | List of domains allowed for NIP-05 verification. If set, only authors verified at these domains can publish. |
 | nip05.maxConsecutiveFailures                | Number of consecutive verification failures before giving up on an author. Defaults to 20. |
@@ -144,5 +145,4 @@ The settings below are listed in alphabetical order by name. Please keep this ta
 | payments.feeSchedules.admission[].whitelists.event_kinds | List of event kinds to waive admission fee. Use `[min, max]` for ranges. |
 | payments.feeSchedules.admission[].whitelists.pubkeys | List of pubkeys to waive admission fee. |
 | payments.processor                          | Either `zebedee`, `lnbits`, `lnurl`. |
-| workers.count                               | Number of workers to spin up to handle incoming connections. |
-|                                             | Spin workers as many CPUs are available when set to zero. Defaults to zero. |
+| workers.count                               | Number of workers to spin up to handle incoming connections. Spin workers as many CPUs are available when set to zero. Defaults to zero. |
diff --git a/resources/default-settings.yaml b/resources/default-settings.yaml
@@ -57,6 +57,8 @@ network:
   maxPayloadSize: 524288
   # Comment the next line if using CloudFlare proxy
   remoteIpHeader: x-forwarded-for
+  # Optional: only trust forwarding headers from these proxy IPs
+  trustedProxies: []
   # Uncomment the next line if using CloudFlare proxy
   # remoteIpHeader: cf-connecting-ip
 workers:
diff --git a/src/@types/settings.ts b/src/@types/settings.ts
@@ -14,6 +14,7 @@ export interface Info {
 export interface Network {
   maxPayloadSize?: number
   remoteIpHeader?: string
+  trustedProxies?: string[]
 }
 
 export interface RateLimit {
diff --git a/src/utils/http.ts b/src/utils/http.ts
@@ -2,6 +2,28 @@ import { IncomingMessage } from 'http'
 
 import { Settings } from '../@types/settings'
 
+const normalizeIpAddress = (input: string): string => {
+  if (input.startsWith('::ffff:')) {
+    return input.slice(7)
+  }
+
+  return input
+}
+
+const isTrustedProxy = (ipAddress: string, settings: Settings): boolean => {
+  const trustedProxies = settings.network?.trustedProxies
+
+  if (!Array.isArray(trustedProxies) || trustedProxies.length === 0) {
+    return false
+  }
+
+  const normalizedRemote = normalizeIpAddress(ipAddress)
+
+  return trustedProxies.some((trustedProxy) => {
+    return normalizeIpAddress(trustedProxy) === normalizedRemote
+  })
+}
+
 export const getRemoteAddress = (request: IncomingMessage, settings: Settings): string => {
   let header: string | undefined
   // TODO: Remove deprecation warning
@@ -13,7 +35,22 @@ export const getRemoteAddress = (request: IncomingMessage, settings: Settings):
     header = settings.network.remoteIpHeader as string
   }
 
-  const result = (request.headers[header] ?? request.socket.remoteAddress) as string
+  const trustedProxies = settings.network?.trustedProxies
+  if (header && (!Array.isArray(trustedProxies) || trustedProxies.length === 0)) {
+    console.warn('WARNING: network.remoteIpHeader is set but network.trustedProxies is empty. Forwarded headers will be ignored. Add your proxy IP to network.trustedProxies.')
+  }
+
+  const headerAddress = header
+    ? request.headers[header]
+    : undefined
+  const socketAddress = request.socket.remoteAddress
+
+  const trustedProxy = typeof socketAddress === 'string'
+    && isTrustedProxy(socketAddress, settings)
+
+  const result = trustedProxy && typeof headerAddress === 'string'
+    ? headerAddress
+    : socketAddress
 
-  return result.split(',')[0]
+  return (result as string).split(',')[0].trim()
 }
diff --git a/test/unit/utils/http.spec.ts b/test/unit/utils/http.spec.ts
@@ -1,7 +1,8 @@
 import { expect } from 'chai'
 import { IncomingMessage } from 'http'
+import sinon from 'sinon'
 
-import { getRemoteAddress } from '../../../src/utils/http'
+import { _resetWarnings, getRemoteAddress } from '../../../src/utils/http'
 
 describe('getRemoteAddress', () => {
   const header = 'x-forwarded-for'
@@ -22,14 +23,78 @@ describe('getRemoteAddress', () => {
   })
 
   it('returns address using network.remote_ip_address when set', () => {
-    expect(getRemoteAddress(request, { network: { remote_ip_header: header } } as any)).to.equal(address)
+    expect(
+      getRemoteAddress(
+        request,
+        { network: { 'remote_ip_header': header, trustedProxies: [socketAddress] } } as any,
+      )
+    ).to.equal(address)
   })
 
   it('returns address using network.remoteIpAddress when set', () => {
-    expect(getRemoteAddress(request, { network: { remoteIpHeader: header } } as any)).to.equal(address)
+    expect(
+      getRemoteAddress(
+        request,
+        { network: { remoteIpHeader: header, trustedProxies: [socketAddress] } } as any,
+      )
+    ).to.equal(address)
+  })
+
+  it('returns socket address when proxy is not trusted', () => {
+    expect(
+      getRemoteAddress(
+        request,
+        { network: { remoteIpHeader: header, trustedProxies: ['1.1.1.1'] } } as any,
+      )
+    ).to.equal(socketAddress)
+  })
+
+  it('normalizes ipv4-mapped trusted proxy addresses', () => {
+    expect(
+      getRemoteAddress(
+        {
+          headers: {
+            [header]: address,
+          },
+          socket: {
+            remoteAddress: '::ffff:127.0.0.1',
+          },
+        } as any,
+        { network: { remoteIpHeader: header, trustedProxies: ['127.0.0.1'] } } as any,
+      )
+    ).to.equal(address)
   })
 
   it('returns address from socket when header is unset', () => {
-    expect(getRemoteAddress(request, { network: {} } as any)).to.equal(socketAddress)
+    expect(
+      getRemoteAddress(
+        request,
+        { network: { } } as any,
+      )
+    ).to.equal(socketAddress)
+  })
+
+  it('returns first address when forwarded header is an array', () => {
+    const arrayRequest = {
+      headers: { [header]: [address, 'other-address'] },
+      socket: { remoteAddress: socketAddress },
+    } as any
+    expect(
+      getRemoteAddress(
+        arrayRequest,
+        { network: { remoteIpHeader: header, trustedProxies: [socketAddress] } } as any,
+      )
+    ).to.equal(address)
+  })
+
+  it('emits empty trustedProxies warning only once', () => {
+    _resetWarnings()
+    const warn = sinon.stub(console, 'warn')
+    const settings = { network: { remoteIpHeader: header, trustedProxies: [] } } as any
+    getRemoteAddress(request, settings)
+    getRemoteAddress(request, settings)
+    const warningCalls = warn.args.filter(([msg]) => typeof msg === 'string' && msg.includes('trustedProxies is empty'))
+    warn.restore()
+    expect(warningCalls).to.have.lengthOf(1)
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ export interface Info {`
`14`	`14`	`export interface Network {`
`15`	`15`	`maxPayloadSize?: number`
`16`	`16`	`remoteIpHeader?: string`
	`17`	`+ trustedProxies?: string[]`
`17`	`18`	`}`
`18`	`19`
`19`	`20`	`export interface RateLimit {`