Running zwavejs behind reverse proxy (traefik) for web UI only generates error.

[haydonryan]

express-rate-limit throws an error when accessing the web ui behind a reverse proxy. It works, but the error is there. Is there a way to expose out express-rate-limit options outside of the container? eg for trusted proxy IPs or add the skip validation step to your config?
(Set validate: {xForwardedForHeader: false} in the options to disable the check.)

zwave-js-ui  | 2024-01-05 12:52:49.149 INFO Z-WAVE: Controller status: Scan completed
zwave-js-ui  | 2024-01-05 12:52:49.150 INFO Z-WAVE: Network scan complete. Found: 18 nodes
zwave-js-ui  | ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information.
zwave-js-ui  |     at Object.xForwardedForHeader (/usr/src/app/node_modules/express-rate-limit/dist/index.cjs:166:13)
zwave-js-ui  |     at Object.wrappedValidations.<computed> [as xForwardedForHeader] (/usr/src/app/node_modules/express-rate-limit/dist/index.cjs:324:22)
zwave-js-ui  |     at Object.keyGenerator (/usr/src/app/node_modules/express-rate-limit/dist/index.cjs:579:20)
zwave-js-ui  |     at /usr/src/app/node_modules/express-rate-limit/dist/index.cjs:629:32
zwave-js-ui  |     at /usr/src/app/node_modules/express-rate-limit/dist/index.cjs:611:5 {
zwave-js-ui  |   code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR',
zwave-js-ui  |   help: 'https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/'
zwave-js-ui  | }
zwave-js-ui  | 2024-01-05 12:52:53.853 INFO APP: GET /api/auth-enabled 200 34.243 ms - 29
zwave-js-ui  | 2024-01-05 12:52:53.876 INFO APP: GET /apple-touch-icon-180x180.png 200 18.391 ms - 1268

[robertsLando]

I use nginx without any problem, maybe you could remove that header from your proxy?

[derekolson]

This header is important for a reverse proxy to pass to relay the real IP for incoming clients for authentication and rate-limiting. If you do not pass this, all requests look like they are coming solely from the proxy. It seems like there was a previous PR #2963 to add the 'trust proxy' setting but was rescinded. This is usually defined in an environment variable with the IP of your proxy.

[robertsLando]

Done, use TRUST_PROXY env var.

[derekolson]

@robertsLando thanks for the quick commit. However, just setting trust proxy to true is not exactly what I was saying. For security reasons the env var should take the ip address of your reverse proxy so that it only trusts requests coming from that ip.

[robertsLando]

OK let me do the fix to allow setting the trust proxy as value, I inspired by the closed PR and added the missing things

[robertsLando]

@derekolson Done

[haydonryan]

Thank-you - this is perfect.

[sholdee]

@derekolson Done

Thank you for this. I was meaning to open an issue, and then I saw the changelog when I updated. This is great.