⚠️ Blocker for IP-based rate limiting. Settle how the real client IP reaches the process before any IP bucket goes live.
Problem
The app binds 0.0.0.0:5800 directly (src/web/mod.rs:92) with no reverse-proxy config in the repo, but runs at a public domain — so it's almost certainly behind a reverse proxy / Cloudflare in production. That means:
- A naive IP issuer sees the proxy's IP for every request → rate-limits all users as one (self-inflicted outage).
- Blindly trusting
X-Forwarded-For lets a client spoof its IP and dodge the limit entirely.
Scope
- Confirm the production topology (proxy? Cloudflare? direct?).
- Configure client-IP extraction to trust
X-Forwarded-For / CF-Connecting-IP only from the known proxy hop.
- Verify whether salvo's IP issuer honours forwarded headers or whether a small custom issuer is needed.
- Record the assumed topology in config so it can't silently regress.
Blocks
Parent: #50
Problem
The app binds
0.0.0.0:5800directly (src/web/mod.rs:92) with no reverse-proxy config in the repo, but runs at a public domain — so it's almost certainly behind a reverse proxy / Cloudflare in production. That means:X-Forwarded-Forlets a client spoof its IP and dodge the limit entirely.Scope
X-Forwarded-For/CF-Connecting-IPonly from the known proxy hop.Blocks
Parent: #50