fix: resolve arcjet ip warning on render by trusting cloudflare proxy#11
Merged
Merged
Conversation
- add NestExpressApplication type and app.set trust proxy true in main.ts so express reads the real client ip from cloudflare forwarded headers - create src/common/guards/arcjet-optional.guard.ts extending ArcjetGuard with SkipArcjet decorator support for exempting specific routes - update arcjet.module.ts to replace proxies 10.0.0.0/8 with cloudflare() helper, type aj as ArcjetNest instead of any, and swap ArcjetGuard for ArcjetOptionalGuard - add SkipArcjet decorator to root GET / in app.controller.ts to skip arcjet on render health check probes which have no client ip - add live demo url and cold-start note to README.md
|
Base branch auto-updated: This PR has been redirected from |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Arcjet's IP resolution warning on Render by enabling Express proxy trust for Cloudflare, replacing the static proxy CIDR with the
cloudflare()helper, and adding a@SkipArcjet()decorator for health check routes that have no client IP.What's Changed
NestExpressApplicationtype andapp.set("trust proxy", true)inmain.tsso Express reads the real client IP from thex-forwarded-forheader set by Cloudflaresrc/common/guards/arcjet-optional.guard.tsextendingArcjetGuardwith support for a@SkipArcjet()decorator, allowing individual routes to opt out of Arcjet evaluationarcjet.module.tsto replace the staticproxies: ["10.0.0.0/8"]withproxies: [cloudflare()], typedajasArcjetNestinstead ofany, and swappedArcjetGuardforArcjetOptionalGuardas the global guard@SkipArcjet()to the rootGET /endpoint inapp.controller.tssince Render's health check probes carry no client IP and would trigger Arcjet warnings on every health checkREADME.mdWhy
Render's edge infrastructure runs on Cloudflare, which means the real client IP is carried in the
x-forwarded-forheader rather than the direct socket connection. Withouttrust proxy true, Express sees the Cloudflare edge node IP instead of the real client, which causes Arcjet to emit an IP resolution warning on every request. Thecloudflare()helper ensures Arcjet uses the same Cloudflare-aware IP resolution. Skipping Arcjet on the health check route prevents spurious warnings from Render's probes which have no meaningful client IP to evaluate.