Skip to content

fix http config section being dropped so trustedHeaders and disableRateLimit apply#2602

Merged
gtsteffaniak merged 1 commit into
gtsteffaniak:dev/v1.5.1from
mvanhorn:fix/2560-http-config-section-dropped
Jul 5, 2026
Merged

fix http config section being dropped so trustedHeaders and disableRateLimit apply#2602
gtsteffaniak merged 1 commit into
gtsteffaniak:dev/v1.5.1from
mvanhorn:fix/2560-http-config-section-dropped

Conversation

@mvanhorn

@mvanhorn mvanhorn commented Jul 5, 2026

Copy link
Copy Markdown

According to the contributing guide, a PR should contain:

  • A clear description of why it was opened.
  • A short title that best describes the change.
  • Must pass unit and integration tests, which can be run checked locally prior to opening a PR.
  • Any additional details for functionality not covered by tests.

Summary

This restores the http: config section so trustedHeaders and disableRateLimit are applied instead of being silently dropped. With the section honored again, X-Forwarded-For from a trusted proxy is used for the client IP.

Why this matters

Reported in #2560: users behind a reverse proxy set http.trustedHeaders: [X-Forwarded-For] but access logs still showed the proxy address 127.0.0.1 instead of the real client IP, and the setting had no effect.

The root cause is in loadConfigWithDefaults (backend/common/settings/config.go). After the first YAML pass, the loader filters the raw config down to a validFields whitelist of top-level Settings keys before the strict decode. That whitelist listed server, auth, integrations, frontend, and userDefaults but omitted http, even though Settings has a top-level Http field tagged json:"http". As a result the whole http: block (including trustedHeaders and disableRateLimit) was stripped before decoding, so Config.Http.TrustedHeadersArray stayed empty, setupHttp() never built the TrustedHeaders map, and getRemoteIP never trusted X-Forwarded-For.

Adding "http": true to the whitelist preserves the section so it is decoded and applied.

Testing

  • Added a regression test (TestConfigLoadHttpSection) that loads a config with an http: section setting trustedHeaders: [X-Forwarded-For] and disableRateLimit: true, then asserts the section survives loadConfigWithDefaults (Config.Http.TrustedHeadersArray contains X-Forwarded-For and Config.Http.DisableRateLimit is true). This fails before the fix because the section is dropped.
  • go test ./common/settings/..., go vet ./common/settings/..., go build ./..., and gofmt all pass locally.

Fixes #2560

Summary by CodeRabbit

  • Bug Fixes

    • Improved config loading so http settings in YAML are now preserved and applied correctly.
    • Fixed an issue where certain HTTP options could be dropped during config parsing, causing them to be ignored.
  • Tests

    • Added coverage to verify http configuration values load as expected, including trusted headers and rate-limit settings.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The config-loading whitelist in loadConfigWithDefaults now includes the "http" top-level YAML key, preventing it from being stripped during parsing. A test was added to verify Http.TrustedHeadersArray and Http.DisableRateLimit are correctly loaded from config YAML.

Changes

HTTP Config Section Fix

Layer / File(s) Summary
Whitelist http section in config parsing
backend/common/settings/config.go
Added "http": true to the validFields map so the http section survives filtering during config load.
Test http section loading
backend/common/settings/config_test.go
New test writes a temp config with an http section and asserts TrustedHeadersArray and DisableRateLimit are correctly populated.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Poem

A whisper of "http" was lost in the fray,
Filtered out, hopping away.
Now whitelisted, trusted headers stand tall,
No more 127.0.0.1 fooling us all!
🐰 Hop, decode, and validate — done!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed The change restores the http section during config loading and adds a regression test, which matches issue #2560's expected behavior.
Out of Scope Changes check ✅ Passed The only code and test changes are directly related to loading the http config section and verifying its fields.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the core fix: preserving the HTTP config section so trustedHeaders and disableRateLimit take effect.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gtsteffaniak

Copy link
Copy Markdown
Owner

thanks for identifying and submitting this fix! This will go to beta and get backported to stable in the next releases which should be this week soon.

@gtsteffaniak gtsteffaniak changed the base branch from main to dev/v1.5.1 July 5, 2026 13:17
@gtsteffaniak gtsteffaniak merged commit 50f5c1f into gtsteffaniak:dev/v1.5.1 Jul 5, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

X-Forwarded-For header is not honoured even though it has been set via configuration

2 participants