Add environment variable control for trust proxy setting (#5226)

* feat: allow trust proxy setting to be configured via environment variable

* fix: restore HTTP_DENY_LIST in .env.example after merge conflict

* feat: add conditional handling for trust proxy

* feat: add trust proxy environment variable documentation

* feat: add trust proxy environment variable sample value

* fix: handle empty trust proxy string in docker environment

---------

Co-authored-by: Henry Heng <henryheng@flowiseai.com>

Author: chungyau97

CONTRIBUTING.md

@@ -174,3 +174,4 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # HTTP_DENY_LIST=
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
+# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)

docker/.env.example

@@ -140,10 +140,11 @@ services:
             - REDIS_KEEP_ALIVE=${REDIS_KEEP_ALIVE}
             - ENABLE_BULLMQ_DASHBOARD=${ENABLE_BULLMQ_DASHBOARD}
 
-              # SECURITY
+            # SECURITY
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - TRUST_PROXY=${TRUST_PROXY}
         healthcheck:
             test: ['CMD', 'curl', '-f', 'http://localhost:${PORT:-3000}/api/v1/ping']
             interval: 10s
@@ -282,10 +283,11 @@ services:
             - REDIS_KEEP_ALIVE=${REDIS_KEEP_ALIVE}
             - ENABLE_BULLMQ_DASHBOARD=${ENABLE_BULLMQ_DASHBOARD}
 
-              # SECURITY
+            # SECURITY
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - TRUST_PROXY=${TRUST_PROXY}
         healthcheck:
             test: ['CMD', 'curl', '-f', 'http://localhost:${WORKER_PORT:-5566}/healthz']
             interval: 10s

docker/docker-compose-queue-prebuilt.yml

@@ -125,10 +125,11 @@ services:
             - REDIS_KEEP_ALIVE=${REDIS_KEEP_ALIVE}
             - ENABLE_BULLMQ_DASHBOARD=${ENABLE_BULLMQ_DASHBOARD}
 
-              # SECURITY
+            # SECURITY
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
+            - TRUST_PROXY=${TRUST_PROXY}
         ports:
             - '${PORT}:${PORT}'
         healthcheck:

docker/docker-compose.yml

@@ -174,3 +174,4 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # HTTP_DENY_LIST=
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
+# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)

docker/worker/.env.example

@@ -129,7 +129,7 @@ services:
             - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
             - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
             - HTTP_DENY_LIST=${HTTP_DENY_LIST}
-
+            - TRUST_PROXY=${TRUST_PROXY}
         ports:
             - '${WORKER_PORT}:${WORKER_PORT}'
         healthcheck:

docker/worker/docker-compose.yml

@@ -174,6 +174,7 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # HTTP_DENY_LIST=
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
+# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
 
 
 ############################################################################################################

packages/server/.env.example

@@ -77,7 +77,8 @@ export abstract class BaseCommand extends Command {
         ENABLE_BULLMQ_DASHBOARD: Flags.string(),
         CUSTOM_MCP_SECURITY_CHECK: Flags.string(),
         CUSTOM_MCP_PROTOCOL: Flags.string(),
-        HTTP_DENY_LIST: Flags.string()
+        HTTP_DENY_LIST: Flags.string(),
+        TRUST_PROXY: Flags.string()
     }
 
     protected async stopProcess() {
@@ -210,5 +211,6 @@ export abstract class BaseCommand extends Command {
         if (flags.CUSTOM_MCP_SECURITY_CHECK) process.env.CUSTOM_MCP_SECURITY_CHECK = flags.CUSTOM_MCP_SECURITY_CHECK
         if (flags.CUSTOM_MCP_PROTOCOL) process.env.CUSTOM_MCP_PROTOCOL = flags.CUSTOM_MCP_PROTOCOL
         if (flags.HTTP_DENY_LIST) process.env.HTTP_DENY_LIST = flags.HTTP_DENY_LIST
+        if (flags.TRUST_PROXY) process.env.TRUST_PROXY = flags.TRUST_PROXY
     }
 }

packages/server/src/commands/base.ts

@@ -163,7 +163,19 @@ export class App {
         this.app.use(express.urlencoded({ limit: flowise_file_size_limit, extended: true }))
 
         // Enhanced trust proxy settings for load balancer
-        this.app.set('trust proxy', true) // Trust all proxies
+        let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY
+        if (typeof trustProxy === 'undefined' || trustProxy.trim() === '' || trustProxy === 'true') {
+            // Default to trust all proxies
+            trustProxy = true
+        } else if (trustProxy === 'false') {
+            // Disable trust proxy
+            trustProxy = false
+        } else if (!isNaN(Number(trustProxy))) {
+            // Number: Trust specific number of proxies
+            trustProxy = Number(trustProxy)
+        }
+
+        this.app.set('trust proxy', trustProxy)
 
         // Allow access from specified domains
         this.app.use(cors(getCorsOptions()))