immich-app
feat(server): add IP trust list for reverse proxy
Added support for configurable trusted proxy IPs using environment variables. This enhancement allows you to specify trusted proxy IPs directly through environment settings, improving flexibility and security in various deployment environments.
It follow the rules of express trust proxy option. See Behind Proxies
New Environment Variable:
IMMICH_TRUSTED_PROXIES: A comma-separated list of IP addresses that should be trusted as proxies.
Example Usage in Docker Compose:
version: '3.8'
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
volumes:
- ${UPLOAD_LOCATION}:/usr/src/app/upload
- /etc/localtime:/etc/localtime:ro
env_file:
- .env
environment:
- TRUSTED_PROXY_IPS=192.168.0.1,192.168.0.2
ports:
- 2283:3001
depends_on:
- redis
- database
restart: always
With this fix, you can now manage trusted proxy IPs without modifying the application code, making it easier to adjust settings in different environments.
Please also add this to the [env var validation].
I cannot validate the IPs without creating a huge regexp, can I just validate the string? accepting suggestions for that.
Those should all be valid inputs and validating them precisely is a bit of a mess.
console.log(validateAndSplit("192.168.1.1;2001:db8::ff00:42:8329;10.0.0.0/24")); // ["192.168.1.1", "2001:db8::ff00:42:8329", "10.0.0.0/24"]
console.log(validateAndSplit("")); // []
console.log(validateAndSplit(undefined)); // []
Added validation with following tests in mind:
Success with:
IMMICH_TRUSTED_PROXIES="192.168.1.1,2001:db8::ff00:42:8329,10.0.0.0/24"
IMMICH_TRUSTED_PROXIES="10.0.0.0/24"
IMMICH_TRUSTED_PROXIES="192.168.1.1"
IMMICH_TRUSTED_PROXIES="2001:db8::ff00:42:8329"
IMMICH_TRUSTED_PROXIES=""
Those cases fails the validation:
IMMICH_TRUSTED_PROXIES="notAnIP"
IMMICH_TRUSTED_PROXIES="192.168.1.1,notAnIP"
IMMICH_TRUSTED_PROXIES="notAnIPv4,notAnIPv6"