Skip to content

Seed trust_proxy=true so per-IP limit works behind StartOS proxy#6

Closed
wksantiago wants to merge 2 commits into
masterfrom
fix-trust-proxy
Closed

Seed trust_proxy=true so per-IP limit works behind StartOS proxy#6
wksantiago wants to merge 2 commits into
masterfrom
fix-trust-proxy

Conversation

@wksantiago

@wksantiago wksantiago commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Closes #5

Summary by CodeRabbit

  • Bug Fixes
    • Fixed proxy trust security settings not being properly applied during system initialization and upgrades.
    • Ensures the correct client-IP preserving behavior is configured via the StartOS reverse proxy during setup.

@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f760a5dd-5fed-4a3a-b2bf-ff4a0cff9f47

📥 Commits

Reviewing files that changed from the base of the PR and between f8150e4 and 5dff398.

📒 Files selected for processing (1)
  • startos/init/seedFiles.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • startos/init/seedFiles.ts

Walkthrough

The seedFiles init handler in startos/init/seedFiles.ts is updated to call wispToml.merge(effects, { security: { trust_proxy: true } }) instead of merging an empty object. Inline comments are expanded to explain that wisp.toml should be seeded on init/upgrade, that only security.trust_proxy is set by the merge, and why trust_proxy=true is required for correct client IP behavior behind the StartOS reverse proxy.

Changes

trust_proxy init config

Layer / File(s) Summary
Set security.trust_proxy in seedFiles init handler
startos/init/seedFiles.ts
Comments expanded to document init/upgrade intent and the role of trust_proxy in reading real client IPs via X-Forwarded-For. wispToml.merge now receives { security: { trust_proxy: true } } instead of {}, so trust_proxy = true is written into wisp.toml on every install and upgrade.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A proxy once hid every hop,
Ten connections — then hard stop!
One small merge, one flag set true,
trust_proxy lets real IPs through.
The relay hops with joy anew! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: seeding trust_proxy=true to enable per-IP connection limiting behind the StartOS proxy.
Linked Issues check ✅ Passed The PR directly implements option 1 from issue #5 by seeding trust_proxy=true in seedFiles, enabling per-IP connection limiting to work correctly behind the StartOS proxy.
Out of Scope Changes check ✅ Passed All changes are scoped to the stated objective: updating seedFiles to merge trust_proxy=true configuration for the Wisp init process.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-trust-proxy

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@wksantiago wksantiago self-assigned this Jun 15, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
startos/init/seedFiles.ts (1)

12-14: ⚡ Quick win

Consider setting trusted_proxies explicitly for defense in depth.

While leaving trusted_proxies empty and relying on network topology (relay port only accessible via proxy) is acceptable given the current deployment model, explicitly setting trusted_proxies to the proxy's IP address or range would provide defense in depth. If the network configuration changes or the relay becomes directly accessible, clients could spoof X-Forwarded-For headers.

The comment's final sentence "(Setting a wrong proxy address would silently disable the fix.)" is confusing since no proxy address is being set here. If you meant to warn about the risk of misconfiguring trusted_proxies, consider clarifying or documenting the proxy's IP/range for future reference.

🛡️ Example: Setting trusted_proxies explicitly
 export const seedFiles = sdk.setupOnInit(async (effects) => {
   await wispToml.merge(effects, {
-    security: { trust_proxy: true },
+    security: { 
+      trust_proxy: true,
+      trusted_proxies: ["127.0.0.1", "::1"], // Adjust to actual proxy IP/range
+    },
   })
 })

Note: You would need to determine the actual IP address or range used by the StartOS proxy.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@startos/init/seedFiles.ts` around lines 12 - 14, Set the `trusted_proxies`
configuration explicitly to the proxy's IP address or range instead of leaving
it empty, providing defense in depth against potential X-Forwarded-For header
spoofing if the network configuration changes. Additionally, update or replace
the existing comment that references setting a proxy address to clarify the
actual security approach being used and document the proxy's IP range for future
maintainability, removing the confusing statement about what would happen if a
wrong proxy address were set.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@startos/init/seedFiles.ts`:
- Around line 4-5: The comment on lines 4-5 in startos/init/seedFiles.ts
incorrectly describes what the code sets. It claims the merge operation writes
"new schema defaults (fixed host/port/storage)" but the actual merge call only
explicitly sets "security.trust_proxy". Update the comment to accurately state
that the code seeds wisp.toml on every init to ensure trust_proxy is configured,
and clarify that schema defaults for host, port, and storage are applied during
file read and validation, not by the merge operation itself. Replace the comment
with the provided suggestion to reflect what the code actually does.

---

Nitpick comments:
In `@startos/init/seedFiles.ts`:
- Around line 12-14: Set the `trusted_proxies` configuration explicitly to the
proxy's IP address or range instead of leaving it empty, providing defense in
depth against potential X-Forwarded-For header spoofing if the network
configuration changes. Additionally, update or replace the existing comment that
references setting a proxy address to clarify the actual security approach being
used and document the proxy's IP range for future maintainability, removing the
confusing statement about what would happen if a wrong proxy address were set.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4d29e954-cb95-4d3d-9e03-228332dc2478

📥 Commits

Reviewing files that changed from the base of the PR and between a9c6ea7 and f8150e4.

📒 Files selected for processing (1)
  • startos/init/seedFiles.ts

Comment thread startos/init/seedFiles.ts Outdated
@wksantiago
wksantiago requested a review from kwsantiago June 16, 2026 00:31
@wksantiago

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 16, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@kwsantiago

Copy link
Copy Markdown
Contributor

Superseded by #7, which lands the per-IP fix off current master. Behind the StartOS proxy all clients share the proxy IP, so rather than trusting X-Forwarded-For (which depends on the proxy injecting it, and trusting it from any peer is a spoofing surface if it does not), #7 stops limiting per IP entirely and relies on global max_connections plus the event/query rate limits, matching how nostr-rs-relay and strfry are packaged.

@kwsantiago kwsantiago closed this Jun 17, 2026
@wksantiago
wksantiago deleted the fix-trust-proxy branch June 17, 2026 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Per-IP connection limit caps relay at 10 connections behind StartOS proxy

2 participants