Add option to `node` preset for trusting `X-Forwarded-*` headers

[septatrix]

Describe the feature

For deployment behind a reverse proxy one wants the receiving application to trust and use the X-Forwarded-For (and related) header set by the proxy. However, for edge deployments this is usually not desirable as they already provide the correct IP and attackers could provide false data in those headers. The runtime presets (node_*, bun, and deno) though are commonly deployed behind a reverse proxy and would thus benefit from an option to trust those headers and fill ServerRequest.ip with it's value.

A possible implementation would be to expose this as an environment variable like NITRO_TRUST_XFORWARDED=1 and/or a flag in defineConfig().

Cont'd from the discussion over at the h3 repo: h3js/h3#1366 (comment)

Additional information

• Would you be willing to help implement this feature?

[pi0]

Since it is a nitro issue, Can you please specify which deployment hosting is not currently working or are we talking about?

[septatrix]

In my case the node_server behind an Apache or Nginx reverse proxy . Though the other node presets, deno or bun, and combination with other reverse proxies like Caddy would all behave the same.

Documentation e.g. for Apache https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#x-headers