fix http config section being dropped so trustedHeaders and disableRateLimit apply#2602
Conversation
…ableRateLimit are applied
📝 WalkthroughWalkthroughThe config-loading whitelist in ChangesHTTP Config Section Fix
Estimated code review effort: 1 (Trivial) | ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
thanks for identifying and submitting this fix! This will go to beta and get backported to stable in the next releases which should be this week soon. |
According to the contributing guide, a PR should contain:
Summary
This restores the
http:config section sotrustedHeadersanddisableRateLimitare applied instead of being silently dropped. With the section honored again,X-Forwarded-Forfrom a trusted proxy is used for the client IP.Why this matters
Reported in #2560: users behind a reverse proxy set
http.trustedHeaders: [X-Forwarded-For]but access logs still showed the proxy address127.0.0.1instead of the real client IP, and the setting had no effect.The root cause is in
loadConfigWithDefaults(backend/common/settings/config.go). After the first YAML pass, the loader filters the raw config down to avalidFieldswhitelist of top-levelSettingskeys before the strict decode. That whitelist listedserver,auth,integrations,frontend, anduserDefaultsbut omittedhttp, even thoughSettingshas a top-levelHttpfield taggedjson:"http". As a result the wholehttp:block (includingtrustedHeadersanddisableRateLimit) was stripped before decoding, soConfig.Http.TrustedHeadersArraystayed empty,setupHttp()never built theTrustedHeadersmap, andgetRemoteIPnever trustedX-Forwarded-For.Adding
"http": trueto the whitelist preserves the section so it is decoded and applied.Testing
TestConfigLoadHttpSection) that loads a config with anhttp:section settingtrustedHeaders: [X-Forwarded-For]anddisableRateLimit: true, then asserts the section survivesloadConfigWithDefaults(Config.Http.TrustedHeadersArraycontainsX-Forwarded-ForandConfig.Http.DisableRateLimitis true). This fails before the fix because the section is dropped.go test ./common/settings/...,go vet ./common/settings/...,go build ./..., andgofmtall pass locally.Fixes #2560
Summary by CodeRabbit
Bug Fixes
httpsettings in YAML are now preserved and applied correctly.Tests
httpconfiguration values load as expected, including trusted headers and rate-limit settings.