fix(nginx): correct real_ip_header typo X-Forward-For → X-Forwarded-For#8935
Conversation
X-Forward-For is not a real HTTP header — the standard is X-Forwarded-For. With the typo, Nginx never replaces $remote_addr with the actual client IP, so rate limiting and IP logging see the proxy IP instead of the real client. Affects all three nginx configs (web, admin, space).
📝 WalkthroughWalkthroughThis pull request corrects a typo across three Nginx configuration files. The Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@apps/space/nginx/nginx.conf`:
- Around line 12-15: The configuration currently uses set_real_ip_from 0.0.0.0/0
with real_ip_header X-Forwarded-For, which allows IP spoofing and defeats
limit_req_zone using $binary_remote_addr and $remote_addr; replace the wildcard
trust with the actual proxy/CDN/load-balancer CIDR ranges (or make
set_real_ip_from values configurable) so only trusted upstreams can set
X-Forwarded-For, and document the behavior if you must accept arbitrary sources;
update the same change in the other nginx.conf files that use set_real_ip_from,
real_ip_header, and limit_req_zone to ensure rate limits and logs remain
reliable.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 8782b2aa-8b26-4e35-80b3-049ca833e2ae
📒 Files selected for processing (3)
apps/admin/nginx/nginx.confapps/space/nginx/nginx.confapps/web/nginx/nginx.conf
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
@coderabbitai set_real_ip_from 0.0.0.0/0 is pre-existing and predates this PR — this PR only fixes the real_ip_header typo. The wildcard trust range is deployment-specific (correct CIDR depends on whether the user is behind Cloudflare, AWS ELB, custom proxy, etc.) and should be addressed separately as a configurable value per deployment. |
|
Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit. |
|
The change correctly fixes the Note (not blocking): the pre-existing |
2 participants
Description
Fixes #8934
All three nginx configs had a typo in the
real_ip_headerdirective —X-Forward-Forinstead of the standardX-Forwarded-For.X-Forward-Foris not a real HTTP header, so Nginx silently ignored the directive and never replaced$remote_addrwith the actual client IP.Changes:
real_ip_header X-Forward-For→real_ip_header X-Forwarded-Forinapps/web/nginx/nginx.confreal_ip_header X-Forward-For→real_ip_header X-Forwarded-Forinapps/admin/nginx/nginx.confreal_ip_header X-Forward-For→real_ip_header X-Forwarded-Forinapps/space/nginx/nginx.confOne character added in 3 files, nothing else.
Type of Change
Test Scenarios
X-Forwarded-ForReferences
Closes #8934
Summary by CodeRabbit