fix: warn once, handle array header, add default trusted proxies, sort CONFIGURATION.md A-Z

kanishka0411 · kanishka0411 · commit 6892bbde8bd2 · 2026-04-18T22:01:09.000+05:30
diff --git a/CONFIGURATION.md b/CONFIGURATION.md
@@ -66,58 +66,55 @@ Running `nostream` for the first time creates the settings file in `<project_roo
 
 | Name                                        | Description                                                                   |
 |---------------------------------------------|-------------------------------------------------------------------------------|
-| info.relay_url                              | Public-facing URL of your relay. (e.g. wss://relay.your-domain.com) |
-| info.name                                   | Public name of your relay. (e.g. TBG's Public Relay) |
+| info.contact                                | Relay operator's contact. (e.g. mailto:operator@relay-your-domain.com) |
 | info.description                            | Public description of your relay. (e.g. Toronto Bitcoin Group Public Relay) |
+| info.name                                   | Public name of your relay. (e.g. TBG's Public Relay) |
 | info.pubkey                                 | Relay operator's Nostr pubkey in hex format. |
-| info.contact                                | Relay operator's contact. (e.g. mailto:operator@relay-your-domain.com) |
-| network.maxPayloadSize                      | Maximum number of bytes accepted per WebSocket frame |
-| network.remoteIpHeader                      | HTTP header from proxy containing IP address from client. |
-| network.trustedProxies                      | Optional allow-list of proxy IPs allowed to set `network.remoteIpHeader`; otherwise socket remote IP is used. |
-| payments.enabled                            | Enabled payments. Defaults to false. |
-| payments.processor                          | Either `zebedee`, `lnbits`, `lnurl`. |
-| payments.feeSchedules.admission[].enabled   | Enables admission fee. Defaults to false. |
-| payments.feeSchedules.admission[].amount    | Admission fee amount in msats. |
-| payments.feeSchedules.admission[].whitelists.pubkeys | List of pubkeys to waive admission fee. |
-| payments.feeSchedules.admission[].whitelists.event_kinds | List of event kinds to waive admission fee. Use `[min, max]` for ranges. |
-| paymentProcessors.zebedee.baseURL           | Zebedee's API base URL. |
-| paymentProcessors.zebedee.callbackBaseURL   | Public-facing Nostream's Zebedee Callback URL (e.g. https://relay.your-domain.com/callbacks/zebedee) |
-| paymentProcessors.zebedee.ipWhitelist       | List with Zebedee's API Production IPs. See [ZBD API Documentation](https://api-reference.zebedee.io/#c7e18276-6935-4cca-89ae-ad949efe9a6a) for more info. |
-| paymentProcessors.lnbits.baseURL            | Base URL of your Lnbits instance. |
-| paymentProcessors.lnbits.callbackBaseURL    | Public-facing Nostream's Lnbits Callback URL. (e.g. https://relay.your-domain.com/callbacks/lnbits) |
-| paymentProcessors.lnurl.invoiceURL          | [LUD-06 Pay Request](https://github.com/lnurl/luds/blob/luds/06.md) provider URL. (e.g. https://getalby.com/lnurlp/your-username) |
-| mirroring.static[].address                  | Address of mirrored relay. (e.g. ws://100.100.100.100:8008) |
-| mirroring.static[].filters                  | Subscription filters used to mirror. |
-| mirroring.static[].limits.event                   | Event limit overrides for this mirror. See configurations under limits.event. |
-| mirroring.static[].skipAdmissionCheck       | Disable the admission fee check for events coming from this mirror. |
-| mirroring.static[].secret                   | Secret to pass to relays. Nostream relays only. Optional. |
-| workers.count                               | Number of workers to spin up to handle incoming connections. |
-|                                             | Spin workers as many CPUs are available when set to zero. Defaults to zero. |
-| limits.event.eventId.minLeadingZeroBits     | Leading zero bits required on every incoming event for proof of work. |
-|                                             | Defaults to zero. Disabled when set to zero. |
-| limits.event.kind.whitelist                 | List of event kinds to always allow. Leave empty to allow any. |
-| limits.event.kind.blacklist                 | List of event kinds to always reject. Leave empty to allow any. |
-| limits.event.pubkey.minLeadingZeroBits      | Leading zero bits required on the public key of incoming events for proof of work. |
-|                                             | Defaults to zero. Disabled when set to zero. |
-| limits.event.pubkey.whitelist               | List of public keys to always allow. Only public keys in this list will be able to post to this relay. Use for private relays. |
-| limits.event.pubkey.blacklist               | List of public keys to always reject. Public keys in this list will not be able to post to this relay. |
-| limits.event.createdAt.maxPositiveDelta     | Maximum number of seconds an event's `created_at` can be in the future. Defaults to 900 (15 minutes). Disabled when set to zero. |
-| limits.event.createdAt.minNegativeDelta     | Maximum number of secodns an event's `created_at` can be in the past.  Defaults to zero. Disabled when set to zero. |
+| info.relay_url                              | Public-facing URL of your relay. (e.g. wss://relay.your-domain.com) |
+| limits.admissionCheck.ipWhitelist           | List of IPs (IPv4 or IPv6) to ignore rate limits. |
+| limits.admissionCheck.rateLimits[].period   | Rate limit period in milliseconds. |
+| limits.admissionCheck.rateLimits[].rate     | Maximum number of admission checks during period. |
+| limits.client.subscription.maxFilters       | Maximum number of filters per subscription. Defaults to 10. Disabled when set to zero. |
+| limits.client.subscription.maxSubscriptions | Maximum number of subscriptions per connected client. Defaults to 10. Disabled when set to zero. |
 | limits.event.content[].kinds                | List of event kinds to apply limit. Use `[min, max]` for ranges. Optional. |
 | limits.event.content[].maxLength            | Maximum length of `content`. Defaults to 1 MB. Disabled when set to zero. |
+| limits.event.createdAt.maxPositiveDelta     | Maximum number of seconds an event's `created_at` can be in the future. Defaults to 900 (15 minutes). Disabled when set to zero. |
+| limits.event.createdAt.minNegativeDelta     | Maximum number of seconds an event's `created_at` can be in the past. Defaults to zero. Disabled when set to zero. |
+| limits.event.eventId.minLeadingZeroBits     | Leading zero bits required on every incoming event for proof of work. Defaults to zero. Disabled when set to zero. |
+| limits.event.kind.blacklist                 | List of event kinds to always reject. Leave empty to allow any. |
+| limits.event.kind.whitelist                 | List of event kinds to always allow. Leave empty to allow any. |
+| limits.event.pubkey.blacklist               | List of public keys to always reject. Public keys in this list will not be able to post to this relay. |
+| limits.event.pubkey.minLeadingZeroBits      | Leading zero bits required on the public key of incoming events for proof of work. Defaults to zero. Disabled when set to zero. |
+| limits.event.pubkey.whitelist               | List of public keys to always allow. Only public keys in this list will be able to post to this relay. Use for private relays. |
 | limits.event.rateLimits[].kinds             | List of event kinds rate limited. Use `[min, max]` for ranges. Optional. |
 | limits.event.rateLimits[].period            | Rate limiting period in milliseconds. |
 | limits.event.rateLimits[].rate              | Maximum number of events during period. |
-| limits.event.whitelists.pubkeys             | List of public keys to ignore rate limits. |
-| limits.event.whitelists.ipAddresses         | List of IPs (IPv4 or IPv6) to ignore rate limits. |
-| limits.event.retention.maxDays              | Maximum number of days to retain events. Purge deletes events that are expired (`expires_at`), soft-deleted (`deleted_at`), or older than this window (`created_at`). Any non-positive value disables retention purge. |
 | limits.event.retention.kind.whitelist       | Event kinds excluded from retention purge. NIP-62 `REQUEST_TO_VANISH` is always excluded from retention purge, even if not listed here. |
+| limits.event.retention.maxDays              | Maximum number of days to retain events. Purge deletes events that are expired (`expires_at`), soft-deleted (`deleted_at`), or older than this window (`created_at`). Any non-positive value disables retention purge. |
 | limits.event.retention.pubkey.whitelist     | Public keys excluded from retention purge. |
-| limits.client.subscription.maxSubscriptions | Maximum number of subscriptions per connected client. Defaults to 10. Disabled when set to zero. |
-| limits.client.subscription.maxFilters       | Maximum number of filters per subscription. Defaults to 10. Disabled when set to zero. |
+| limits.event.whitelists.ipAddresses         | List of IPs (IPv4 or IPv6) to ignore rate limits. |
+| limits.event.whitelists.pubkeys             | List of public keys to ignore rate limits. |
+| limits.message.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
 | limits.message.rateLimits[].period          | Rate limit period in milliseconds. |
 | limits.message.rateLimits[].rate            | Maximum number of messages during period. |
-| limits.message.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
-| limits.admissionCheck.rateLimits[].period          | Rate limit period in milliseconds. |
-| limits.admissionCheck.rateLimits[].rate            | Maximum number of admission checks during period. |
-| limits.admissionCheck.ipWhitelist                  | List of IPs (IPv4 or IPv6) to ignore rate limits. |
+| mirroring.static[].address                  | Address of mirrored relay. (e.g. ws://100.100.100.100:8008) |
+| mirroring.static[].filters                  | Subscription filters used to mirror. |
+| mirroring.static[].limits.event             | Event limit overrides for this mirror. See configurations under limits.event. |
+| mirroring.static[].secret                   | Secret to pass to relays. Nostream relays only. Optional. |
+| mirroring.static[].skipAdmissionCheck       | Disable the admission fee check for events coming from this mirror. |
+| network.maxPayloadSize                      | Maximum number of bytes accepted per WebSocket frame |
+| network.remoteIpHeader                      | HTTP header from proxy containing IP address from client. |
+| network.trustedProxies                      | Optional allow-list of proxy IPs allowed to set `network.remoteIpHeader`; otherwise socket remote IP is used. |
+| paymentProcessors.lnbits.baseURL            | Base URL of your Lnbits instance. |
+| paymentProcessors.lnbits.callbackBaseURL    | Public-facing Nostream's Lnbits Callback URL. (e.g. https://relay.your-domain.com/callbacks/lnbits) |
+| paymentProcessors.lnurl.invoiceURL          | [LUD-06 Pay Request](https://github.com/lnurl/luds/blob/luds/06.md) provider URL. (e.g. https://getalby.com/lnurlp/your-username) |
+| paymentProcessors.zebedee.baseURL           | Zebedee's API base URL. |
+| paymentProcessors.zebedee.callbackBaseURL   | Public-facing Nostream's Zebedee Callback URL (e.g. https://relay.your-domain.com/callbacks/zebedee) |
+| paymentProcessors.zebedee.ipWhitelist       | List with Zebedee's API Production IPs. See [ZBD API Documentation](https://api-reference.zebedee.io/#c7e18276-6935-4cca-89ae-ad949efe9a6a) for more info. |
+| payments.enabled                            | Enabled payments. Defaults to false. |
+| payments.feeSchedules.admission[].amount    | Admission fee amount in msats. |
+| payments.feeSchedules.admission[].enabled   | Enables admission fee. Defaults to false. |
+| payments.feeSchedules.admission[].whitelists.event_kinds | List of event kinds to waive admission fee. Use `[min, max]` for ranges. |
+| payments.feeSchedules.admission[].whitelists.pubkeys | List of pubkeys to waive admission fee. |
+| payments.processor                          | Either `zebedee`, `lnbits`, `lnurl`. |
+| workers.count                               | Number of workers to spin up to handle incoming connections. Spin workers as many CPUs are available when set to zero. Defaults to zero. |
diff --git a/resources/default-settings.yaml b/resources/default-settings.yaml
@@ -37,12 +37,16 @@ paymentsProcessors:
     callbackBaseURL: https://nostream.your-domain.com/callbacks/opennode
 network:
   maxPayloadSize: 524288
-  # Comment the next line if using CloudFlare proxy
-  remoteIpHeader: x-forwarded-for
-  # Optional: only trust forwarding headers from these proxy IPs
-  trustedProxies: []
-  # Uncomment the next line if using CloudFlare proxy
+  # Uncomment only when using a trusted reverse proxy and configuring trustedProxies.
+  # remoteIpHeader: x-forwarded-for
   # remoteIpHeader: cf-connecting-ip
+  # Proxy IPs allowed to set remoteIpHeader (loopback and common docker internal)
+  trustedProxies:
+    - "127.0.0.1"
+    - "::ffff:127.0.0.1"
+    - "::1"
+    - "10.10.10.1"
+    - "::ffff:10.10.10.1"
 workers:
   count: 0
 mirroring:
diff --git a/src/utils/http.ts b/src/utils/http.ts
@@ -2,6 +2,10 @@ import { IncomingMessage } from 'http'
 
 import { Settings } from '../@types/settings'
 
+let warnedEmptyTrustedProxies = false
+
+export const _resetWarnings = (): void => { warnedEmptyTrustedProxies = false }
+
 const normalizeIpAddress = (input: string): string => {
   if (input.startsWith('::ffff:')) {
     return input.slice(7)
@@ -36,13 +40,13 @@ export const getRemoteAddress = (request: IncomingMessage, settings: Settings):
   }
 
   const trustedProxies = settings.network?.trustedProxies
-  if (header && (!Array.isArray(trustedProxies) || trustedProxies.length === 0)) {
+  if (header && (!Array.isArray(trustedProxies) || trustedProxies.length === 0) && !warnedEmptyTrustedProxies) {
     console.warn('WARNING: network.remoteIpHeader is set but network.trustedProxies is empty. Forwarded headers will be ignored. Add your proxy IP to network.trustedProxies.')
+    warnedEmptyTrustedProxies = true
   }
 
-  const headerAddress = header
-    ? request.headers[header]
-    : undefined
+  const rawHeaderAddress = header ? request.headers[header] : undefined
+  const headerAddress = Array.isArray(rawHeaderAddress) ? rawHeaderAddress[0] : rawHeaderAddress
   const socketAddress = request.socket.remoteAddress
 
   const trustedProxy = typeof socketAddress === 'string'
diff --git a/test/unit/utils/http.spec.ts b/test/unit/utils/http.spec.ts
@@ -1,7 +1,8 @@
 import { expect } from 'chai'
 import { IncomingMessage } from 'http'
+import sinon from 'sinon'
 
-import { getRemoteAddress } from '../../../src/utils/http'
+import { _resetWarnings, getRemoteAddress } from '../../../src/utils/http'
 
 describe('getRemoteAddress', () => {
   const header = 'x-forwarded-for'
@@ -72,4 +73,28 @@ describe('getRemoteAddress', () => {
       )
     ).to.equal(socketAddress)
   })
+
+  it('returns first address when forwarded header is an array', () => {
+    const arrayRequest = {
+      headers: { [header]: [address, 'other-address'] },
+      socket: { remoteAddress: socketAddress },
+    } as any
+    expect(
+      getRemoteAddress(
+        arrayRequest,
+        { network: { remoteIpHeader: header, trustedProxies: [socketAddress] } } as any,
+      )
+    ).to.equal(address)
+  })
+
+  it('emits empty trustedProxies warning only once', () => {
+    _resetWarnings()
+    const warn = sinon.stub(console, 'warn')
+    const settings = { network: { remoteIpHeader: header, trustedProxies: [] } } as any
+    getRemoteAddress(request, settings)
+    getRemoteAddress(request, settings)
+    const warningCalls = warn.args.filter(([msg]) => typeof msg === 'string' && msg.includes('trustedProxies is empty'))
+    warn.restore()
+    expect(warningCalls).to.have.lengthOf(1)
+  })
 })
