From 08ae2fbf230634083d053b7ea571b332216aec24 Mon Sep 17 00:00:00 2001
From: Georg Bremer <github@dschoordsch.de>
Date: Tue, 19 Mar 2024 11:46:47 +0100
Subject: [PATCH 1/2] fix: Configure trusted proxies

Our proxy will add the client ip to the x-forwarded-for header correctly
and also itself as it does NAT. Configure the number of trusted proxies
to read the correct entry from the header to avoid manipulation by
clients.
---
 .env.example                      | 2 ++
 packages/server/utils/uwsGetIP.ts | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 0d0a44b41f0..4869e6931dc 100644
--- a/.env.example
+++ b/.env.example
@@ -5,6 +5,8 @@ PROTO='http'
 SERVER_SECRET='key_SERVER_SECRET'
 # Cluster node number 0 - 1023. Must be unique per process.
 SERVER_ID='1'
+# Used to read the client IP from the X-Forwarded-For header, if not set, it will use the first IP in the list.
+# TRUSTED_PROXY_COUNT='1'
 # Websocket port for the websocket server, only used in development (yarn dev)
 SOCKET_PORT='3001'
 
diff --git a/packages/server/utils/uwsGetIP.ts b/packages/server/utils/uwsGetIP.ts
index 034b266a3c9..b41765b100d 100644
--- a/packages/server/utils/uwsGetIP.ts
+++ b/packages/server/utils/uwsGetIP.ts
@@ -1,7 +1,11 @@
 import {HttpRequest, HttpResponse} from 'uWebSockets.js'
 
+const TRUSTED_PROXY_COUNT = Number(process.env.TRUSTED_PROXY_COUNT)
+// if TRUSTED_PROXY_COUNT is not configured correctly we fall back to reading the first IP to avoid rate limiting our proxy
+const CLIENT_IP_POS = isNaN(TRUSTED_PROXY_COUNT) ? 0 : -1 - TRUSTED_PROXY_COUNT
+
 const uwsGetIP = (res: HttpResponse, req: HttpRequest) => {
-  const clientIp = req.getHeader('x-forwarded-for')?.split(',')[0]
+  const clientIp = req.getHeader('x-forwarded-for')?.split(',').at(CLIENT_IP_POS)
   if (clientIp) return clientIp
   // returns ipv6 e.g. '0000:0000:0000:0000:0000:ffff:ac11:0001'
   return Buffer.from(res.getRemoteAddressAsText()).toString()

From d957dd36ead3abe484ca4f361f795d6bc01c59ac Mon Sep 17 00:00:00 2001
From: Georg Bremer <github@dschoordsch.de>
Date: Tue, 19 Mar 2024 13:13:03 +0100
Subject: [PATCH 2/2] Add a warning

---
 .env.example | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.env.example b/.env.example
index 4869e6931dc..f3deef299a2 100644
--- a/.env.example
+++ b/.env.example
@@ -6,6 +6,7 @@ SERVER_SECRET='key_SERVER_SECRET'
 # Cluster node number 0 - 1023. Must be unique per process.
 SERVER_ID='1'
 # Used to read the client IP from the X-Forwarded-For header, if not set, it will use the first IP in the list.
+# If configured, it must match the number of proxies in the stack, otherwise it might rate limit all traffic coming from the proxy.
 # TRUSTED_PROXY_COUNT='1'
 # Websocket port for the websocket server, only used in development (yarn dev)
 SOCKET_PORT='3001'