Fix reverse proxy whitelist to check proxy IP, not client IP

The whitelist should check the direct connecting IP (reverse proxy itself) rather than the end client IP from X-Forwarded-For headers. Changes: - Use req.connection.remoteAddress instead of X-Forwarded-For - Strip ::ffff: IPv6 prefix for IPv4-mapped addresses - Updated log message to clarify it's the proxy IP being checked - Updated docker-compose.yml comments to explain behavior This allows whitelisting the reverse proxy (e.g., 172.28.0.100) while still allowing any client IPs to reach the app through that proxy.
2 months ago · 229c7fcea6
parent d692187eed
commit 229c7fcea6
2 changed files with 6 additions and 5 deletions
--- a/backend/app.js
+++ b/backend/app.js
@ -273,8 +273,8 @@ function reverseProxyWhitelistMiddleware(req, res, next) {
        return next();
    }

-    // Get client IP (handles X-Forwarded-For and X-Real-IP headers)
-    const clientIp = (req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.connection.remoteAddress || '').split(',')[0].trim();
+    // Get the direct connecting IP (the reverse proxy itself, not the end client)
+    const proxyIp = (req.connection.remoteAddress || req.socket.remoteAddress || '').replace('::ffff:', '');

    // Parse whitelist (can be comma-separated CIDRs)
    const allowedRanges = whitelist.split(',').map(s => s.trim()).filter(s => s);
@ -282,7 +282,7 @@ function reverseProxyWhitelistMiddleware(req, res, next) {
    // Check if IP is in any of the allowed ranges
    for (const range of allowedRanges) {
        try {
-            if (ipInCIDR(clientIp, range)) {
+            if (ipInCIDR(proxyIp, range)) {
                return next();
            }
        } catch (e) {
@ -290,7 +290,7 @@ function reverseProxyWhitelistMiddleware(req, res, next) {
        }
    }

-    logger.warn(`Access denied for IP ${clientIp} - not in whitelist`);
+    logger.warn(`Access denied for reverse proxy IP ${proxyIp} - not in whitelist`);
    return res.status(403).send('Access forbidden');
 }

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -16,7 +16,8 @@ services:
            # ytdl_ssl_key_path: /mnt/keys/bindable-internal/lurker/privkey.pem

            # Reverse Proxy Whitelist (optional)
-            # If set, only IPs in these CIDR ranges can access the server
+            # Whitelists the reverse proxy's IP (the direct connecting IP, not end clients)
+            # This checks which reverse proxy is allowed to connect, not client IPs
            # Leave commented for no IP filtering
            # Example single IP: 172.28.0.100/32
            # Example subnet: 172.28.0.0/24