yunxiafei/openclaw-mission-control
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add trusted client-IP extraction from proxy headers

Browse Source 
Add get_client_ip() helper that inspects Forwarded and X-Forwarded-For
headers only when the direct peer is in TRUSTED_PROXIES (comma-separated
IPs/CIDRs). Replaces raw request.client.host in rate-limit and webhook
source_ip to prevent all traffic collapsing behind a reverse proxy IP.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hugh Brown
2026-03-04 11:51:02 -07:00
committed by Abhimanyu Saharan
parent 24e40f1153
commit f1bcf72810
5 changed files with 312 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/app/core/config.py
View File

@@ -65,6 +65,11 @@ class Settings(BaseSettings):
rate_limit_backend: RateLimitBackend = RateLimitBackend.MEMORY
rate_limit_redis_url: str = ""
# Trusted reverse-proxy IPs/CIDRs for client-IP extraction from
# Forwarded / X-Forwarded-For headers. Comma-separated.
# Leave empty to always use the direct peer address.
trusted_proxies: str = ""
# Database lifecycle
db_auto_migrate: bool = False