From 89e9880f765b3960d12dbd3d0403fff56acb4baa Mon Sep 17 00:00:00 2001 From: Spencer Twaddle <7374698+stwaddle@users.noreply.github.com> Date: Sat, 2 May 2026 15:55:13 -0500 Subject: [PATCH] Add ForwardedHeaders middleware for nginx-proxy Clears KnownNetworks/KnownProxies to trust X-Forwarded-For from any upstream, since nginx-proxy sits at a dynamically assigned internal IP. Without this, RemoteIpAddress is always the proxy IP, breaking any per-client IP resolution. Co-Authored-By: Claude Sonnet 4.6 --- src/Budget.Api/Program.cs | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/Budget.Api/Program.cs b/src/Budget.Api/Program.cs index 2c0dfc0..8c97441 100644 --- a/src/Budget.Api/Program.cs +++ b/src/Budget.Api/Program.cs @@ -2,6 +2,7 @@ using Budget.Api.Data; using Budget.Api.Services; using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Diagnostics.HealthChecks; +using Microsoft.AspNetCore.HttpOverrides; using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.Diagnostics.HealthChecks; using Microsoft.Extensions.Options; @@ -18,6 +19,13 @@ var connStr = builder.Configuration.GetConnectionString("DefaultConnection") builder.Services.AddDbContext(opt => opt.UseNpgsql(connStr)); +builder.Services.Configure(options => +{ + options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto; + options.KnownNetworks.Clear(); + options.KnownProxies.Clear(); +}); + var oidc = builder.Configuration.GetSection("Oidc"); builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => @@ -82,6 +90,8 @@ using (var scope = app.Services.CreateScope()) await db.Database.MigrateAsync(); } +app.UseForwardedHeaders(); + app.UseDefaultFiles(); app.UseStaticFiles();