Fix rate limiting behind reverse proxy (trust proxy headers)
Critical Fix:
- Added app.set('trust proxy', true) to server-http.js
- Fixes ValidationError about X-Forwarded-For headers
- Allows rate limiting to work correctly on Render/Heroku/etc
Problem:
- Without trust proxy, Express doesn't recognize real client IPs
- All users appear to have the same IP (the proxy's IP)
- Rate limiting applied to ALL users as a single entity
- One user hitting limit blocks everyone
Solution:
- Trust X-Forwarded-For headers from reverse proxies
- Each user now has their own rate limit bucket
- Rate limiting works as designed (50 req/min per IP)
Documentation:
- Added troubleshooting section in DEPLOYMENT.md
- Explains the error and impact
- Shows how to verify the fix
This is required for any deployment behind a reverse proxy
(Render, Heroku, AWS ELB, nginx, etc.)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Lee Hanken
@@ -415,6 +415,27 @@ If legitimate users hit rate limits:
|
|||||||
- Implement authentication for higher limits
|
- Implement authentication for higher limits
|
||||||
- Consider using API keys
|
- Consider using API keys
|
||||||
|
|
||||||
|
### Rate Limiting Not Working (All Users Blocked Together)
|
||||||
|
|
||||||
|
**Error in logs**:
|
||||||
|
```
|
||||||
|
ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false
|
||||||
|
```
|
||||||
|
|
||||||
|
**Cause**: Server is behind a reverse proxy (Render, Heroku, etc.) but Express doesn't trust proxy headers.
|
||||||
|
|
||||||
|
**Impact**: All users appear to have the same IP address, so they share one rate limit bucket. When one user hits the limit, everyone gets blocked.
|
||||||
|
|
||||||
|
**Solution**: Already fixed in `server-http.js` with:
|
||||||
|
```javascript
|
||||||
|
app.set('trust proxy', true);
|
||||||
|
```
|
||||||
|
|
||||||
|
If you still see this error:
|
||||||
|
1. Pull latest code from repository
|
||||||
|
2. Redeploy to your hosting platform
|
||||||
|
3. Verify logs no longer show the ValidationError
|
||||||
|
|
||||||
### Connection Timeouts
|
### Connection Timeouts
|
||||||
|
|
||||||
If requests timeout:
|
If requests timeout:
|
||||||
|
|||||||
@@ -661,6 +661,10 @@ ${match.context}
|
|||||||
// Create Express app
|
// Create Express app
|
||||||
const app = express();
|
const app = express();
|
||||||
|
|
||||||
|
// Trust proxy headers (required for Render, Heroku, etc.)
|
||||||
|
// This allows rate limiting to work correctly behind reverse proxies
|
||||||
|
app.set('trust proxy', true);
|
||||||
|
|
||||||
// Enable CORS
|
// Enable CORS
|
||||||
app.use(cors());
|
app.use(cors());
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user