fix(nginx): correct real_ip_header typo X-Forward-For → X-Forwarded-For

[MinitJain]

Description

Fixes #8934

All three nginx configs had a typo in the real_ip_header directive — X-Forward-For instead of the standard X-Forwarded-For. X-Forward-For is not a real HTTP header, so Nginx silently ignored the directive and never replaced $remote_addr with the actual client IP.

Changes:

• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/web/nginx/nginx.conf
• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/admin/nginx/nginx.conf
• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/space/nginx/nginx.conf

One character added in 3 files, nothing else.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Test Scenarios

1. Deploy behind a proxy or CDN that sets X-Forwarded-For
2. Verify Nginx logs show the real client IP, not the proxy IP
3. Verify rate limiting applies per real client IP, not per proxy

References

Closes #8934

Summary by CodeRabbit

• Bug Fixes
  • Updated server configurations across admin, space, and web applications to correctly identify real client IP addresses from incoming proxy headers. These changes standardize IP detection behavior across the platform, fixing inconsistencies and ensuring accurate and reliable client identification. All services now consistently process client IP information in a uniform manner.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request corrects a typo across three Nginx configuration files. The real_ip_header directive in each file is being changed from the non-standard X-Forward-For to the correct HTTP header name X-Forwarded-For, enabling proper real client IP extraction when behind proxies.

Changes

Cohort / File(s)	Summary
Nginx Real-IP Header Typo Fix apps/admin/nginx/nginx.conf, apps/space/nginx/nginx.conf, apps/web/nginx/nginx.conf	Corrected real_ip_header directive from non-standard X-Forward-For to standard X-Forwarded-For header name for proper real client IP extraction behind proxies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop, a skip, a typo squashed with care,
X-Forward-For → X-Forwarded-For in the air,
Now proxies forward truthfully, no more strife,
Real IPs shine bright in the Nginx life! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: correcting a typo in the Nginx real_ip_header directive from X-Forward-For to X-Forwarded-For across three configuration files.
Description check	✅ Passed	The PR description is well-structured, follows the template with all major sections completed, clearly explains the bug and fix, and provides specific test scenarios.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from issue #8934: corrects the typo in all three Nginx config files (apps/web, apps/admin, apps/space) from X-Forward-For to X-Forwarded-For, enabling proper real IP extraction.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: only the typo correction in the real_ip_header directive across three Nginx config files is modified, with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/space/nginx/nginx.conf`:
- Around line 12-15: The configuration currently uses set_real_ip_from 0.0.0.0/0
with real_ip_header X-Forwarded-For, which allows IP spoofing and defeats
limit_req_zone using $binary_remote_addr and $remote_addr; replace the wildcard
trust with the actual proxy/CDN/load-balancer CIDR ranges (or make
set_real_ip_from values configurable) so only trusted upstreams can set
X-Forwarded-For, and document the behavior if you must accept arbitrary sources;
update the same change in the other nginx.conf files that use set_real_ip_from,
real_ip_header, and limit_req_zone to ensure rate limits and logs remain
reliable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8782b2aa-8b26-4e35-80b3-049ca833e2ae

📥 Commits

Reviewing files that changed from the base of the PR and between 32fb88a and 67ef8f5.

📒 Files selected for processing (3)

• apps/admin/nginx/nginx.conf
• apps/space/nginx/nginx.conf
• apps/web/nginx/nginx.conf

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm the same permissive trust list exists in all three nginx.conf files touched by this PR.
fd -t f 'nginx\.conf$' apps | xargs -I{} sh -c 'echo "=== {} ==="; grep -nE "set_real_ip_from|real_ip_header|real_ip_recursive|limit_req_zone" {}'

Repository: makeplane/plane

Length of output: 756

---

🏁 Script executed:

cd /tmp && git -C /tmp/makeplane/plane log --oneline -20 -- apps/space/nginx/nginx.conf apps/admin/nginx/nginx.conf apps/web/nginx/nginx.conf 2>/dev/null || echo "Git history unavailable; checking file content instead"

Repository: makeplane/plane

Length of output: 114

---

🏁 Script executed:

# Check if there are any diffs or recent changes to these files
git -C /tmp/makeplane/plane diff HEAD~5 -- apps/space/nginx/nginx.conf apps/admin/nginx/nginx.conf apps/web/nginx/nginx.conf 2>/dev/null | head -100 || echo "Unable to retrieve recent diffs"

Repository: makeplane/plane

Length of output: 41

---

🏁 Script executed:

# Search for 'X-Forward-For' (the alleged typo) in the current codebase to confirm it's been fixed everywhere
rg 'X-Forward-For' apps/

Repository: makeplane/plane

Length of output: 41

---

🏁 Script executed:

# Verify the security concern: check nginx documentation behavior for set_real_ip_from 0.0.0.0/0
# Also confirm all three files use $binary_remote_addr in rate limiting
rg -A 2 -B 2 'limit_req_zone.*\$binary_remote_addr' apps/

Repository: makeplane/plane

Length of output: 1000

---

set_real_ip_from 0.0.0.0/0 enables IP-spoofing attacks across all three Nginx configs.

The fix to real_ip_header X-Forwarded-For is correct, but it interacts dangerously with the trust list on line 12. Nginx is configured to trust every upstream as a legitimate proxy, so any direct client can send X-Forwarded-For: <attacker-ip> and Nginx will rewrite $remote_addr to that value. This defeats the limit_req_zone $binary_remote_addr rate limiting (trivial bypass by rotating spoofed IPs) and pollutes access logs.

This issue exists in all three affected files: apps/admin/nginx/nginx.conf, apps/space/nginx/nginx.conf, and apps/web/nginx/nginx.conf.

Restrict set_real_ip_from to actual proxy/CDN/load-balancer ranges only. For example:

-  set_real_ip_from        0.0.0.0/0;
+  set_real_ip_from        10.0.0.0/8;       # Docker/internal network
+  # set_real_ip_from      173.245.48.0/20;  # e.g. Cloudflare (if applicable)

If deployments must accept X-Forwarded-For from arbitrary sources, document this limitation clearly or make the trust list configurable.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	set_real_ip_from 0.0.0.0/0;
	real_ip_recursive on;
	real_ip_header X-Forward-For;
	real_ip_header X-Forwarded-For;
	limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
	set_real_ip_from 10.0.0.0/8; # Docker/internal network
	# set_real_ip_from 173.245.48.0/20; # e.g. Cloudflare (if applicable)
	real_ip_recursive on;
	real_ip_header X-Forwarded-For;
	limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/space/nginx/nginx.conf` around lines 12 - 15, The configuration
currently uses set_real_ip_from 0.0.0.0/0 with real_ip_header X-Forwarded-For,
which allows IP spoofing and defeats limit_req_zone using $binary_remote_addr
and $remote_addr; replace the wildcard trust with the actual
proxy/CDN/load-balancer CIDR ranges (or make set_real_ip_from values
configurable) so only trusted upstreams can set X-Forwarded-For, and document
the behavior if you must accept arbitrary sources; update the same change in the
other nginx.conf files that use set_real_ip_from, real_ip_header, and
limit_req_zone to ensure rate limits and logs remain reliable.

[MinitJain]

@coderabbitai set_real_ip_from 0.0.0.0/0 is pre-existing and predates this PR — this PR only fixes the real_ip_header typo. The wildcard trust range is deployment-specific (correct CIDR depends on whether the user is behind Cloudflare, AWS ELB, custom proxy, etc.) and should be addressed separately as a configurable value per deployment.

[coderabbitai]

Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit.