Troubleshooting Proxy Issues

​

The Global Limiter Problem

If you are behind a proxy/load balancer (usually the case with most hosting services, e.g. Heroku, Bluemix, AWS ELB, Nginx, Cloudflare, Akamai, Fastly, Firebase Hosting, Rackspace LB, Riverbed Stingray, etc.), the IP address of the request might be the IP of the load balancer/reverse proxy (making the rate limiter effectively a global one and blocking all requests once the limit is reached) or undefined.

To solve this issue, please follow the steps given below.

app.set('trust proxy', 1 /* number of proxies between user and server */)

app.get('/ip', (request, response) => response.send(request.ip))

For more information about the trust proxy setting, take a look at the official Express documentation.

​

Port Numbers in IP Addresses

Sometimes, a problem arises because the format of the X-Forwarded-For header isn’t standardized between every reverse proxy out there, and Express takes the trusted value verbatim and sets it as request.ip.

While some reverse proxy pass a comma delimited list of IP address, some proxies (for example, Azure’s Application Gateway) will pass a comma delimited list of IP:PORT instead, where the port is the source port, that can change on every request. Because of this, a user can simply close and re-open their browser to bypass the rate limit timer as the source port of their HTTP request will change, even if their IP is the same. This could also be automated in some kind of script for API abuse.

As a workaround, you could strip the port number from the IP address by using a custom keyGenerator function:

keyGenerator(request: Request, _response: Response): string {
	if (!request.ip) {
		console.error('Warning: request.ip is missing!')
		return request.socket.remoteAddress
	}

	return request.ip.replace(/:\d+[^:]*$/, '')
}

See issue #234 for more info.