Sultan
/
Flowise
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add environment variable control for trust proxy setting (#5226) 

* feat: allow trust proxy setting to be configured via environment variable

* fix: restore HTTP_DENY_LIST in .env.example after merge conflict

* feat: add conditional handling for trust proxy

* feat: add trust proxy environment variable documentation

* feat: add trust proxy environment variable sample value

* fix: handle empty trust proxy string in docker environment

---------

Co-authored-by: Henry Heng <henryheng@flowiseai.com>
This commit is contained in:
Yau 2025-09-27 21:08:55 +08:00 committed by GitHub
parent e48f28d13d
commit b5da234ce7
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 66 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CONTRIBUTING.md
View File

@ -121,7 +121,7 @@ Flowise has 3 different modules in a single mono repository.
Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. Read [more](https://docs.flowiseai.com/environment-variables) Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. Read [more](https://docs.flowiseai.com/environment-variables)
| Variable | Description | Type | Default | | Variable | Description | Type | Default |
| ---------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
| PORT | The HTTP port Flowise runs on | Number | 3000 | | PORT | The HTTP port Flowise runs on | Number | 3000 |
| CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | | | CORS_ORIGINS | The allowed origins for all cross-origin HTTP calls | String | |
| IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | | | IFRAME_ORIGINS | The allowed origins for iframe src embedding | String | |
@ -159,6 +159,7 @@ Flowise support different environment variables to configure your instance. You
| GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS | Enable uniform bucket level access when `STORAGE_TYPE` is `gcs` | Boolean | true | | GOOGLE_CLOUD_UNIFORM_BUCKET_ACCESS | Enable uniform bucket level access when `STORAGE_TYPE` is `gcs` | Boolean | true |
| SHOW_COMMUNITY_NODES | Show nodes created by community | Boolean | | | SHOW_COMMUNITY_NODES | Show nodes created by community | Boolean | |
| DISABLED_NODES | Hide nodes from UI (comma separated list of node names) | String | | | DISABLED_NODES | Hide nodes from UI (comma separated list of node names) | String | |
| TRUST_PROXY | Configure proxy trust settings for proper IP detection. Values: 'true' (trust all), 'false' (disable), number (hop count), or Express proxy values (e.g., 'loopback', 'linklocal', 'uniquelocal', IP addresses). [Learn More](https://expressjs.com/en/guide/behind-proxies.html) | Boolean/String/Number | true |
You can also specify the env variables when using `npx`. For example: You can also specify the env variables when using `npx`. For example:

1
docker/.env.example
View File

@ -174,3 +174,4 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
# HTTP_DENY_LIST= # HTTP_DENY_LIST=
# CUSTOM_MCP_SECURITY_CHECK=true # CUSTOM_MCP_SECURITY_CHECK=true
# CUSTOM_MCP_PROTOCOL=sse #(stdio | sse) # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)

2
docker/docker-compose-queue-prebuilt.yml
View File

@ -144,6 +144,7 @@ services:
- CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK} - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
- CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL} - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
- HTTP_DENY_LIST=${HTTP_DENY_LIST} - HTTP_DENY_LIST=${HTTP_DENY_LIST}
- TRUST_PROXY=${TRUST_PROXY}
healthcheck: healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:${PORT:-3000}/api/v1/ping'] test: ['CMD', 'curl', '-f', 'http://localhost:${PORT:-3000}/api/v1/ping']
interval: 10s interval: 10s
@ -286,6 +287,7 @@ services:
- CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK} - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
- CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL} - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
- HTTP_DENY_LIST=${HTTP_DENY_LIST} - HTTP_DENY_LIST=${HTTP_DENY_LIST}
- TRUST_PROXY=${TRUST_PROXY}
healthcheck: healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:${WORKER_PORT:-5566}/healthz'] test: ['CMD', 'curl', '-f', 'http://localhost:${WORKER_PORT:-5566}/healthz']
interval: 10s interval: 10s

1
docker/docker-compose.yml
View File

@ -129,6 +129,7 @@ services:
- CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK} - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
- CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL} - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
- HTTP_DENY_LIST=${HTTP_DENY_LIST} - HTTP_DENY_LIST=${HTTP_DENY_LIST}
- TRUST_PROXY=${TRUST_PROXY}
ports: ports:
- '${PORT}:${PORT}' - '${PORT}:${PORT}'
healthcheck: healthcheck:

1
docker/worker/.env.example
View File

@ -174,3 +174,4 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
# HTTP_DENY_LIST= # HTTP_DENY_LIST=
# CUSTOM_MCP_SECURITY_CHECK=true # CUSTOM_MCP_SECURITY_CHECK=true
# CUSTOM_MCP_PROTOCOL=sse #(stdio | sse) # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)

2
docker/worker/docker-compose.yml
View File

@ -129,7 +129,7 @@ services:
- CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK} - CUSTOM_MCP_SECURITY_CHECK=${CUSTOM_MCP_SECURITY_CHECK}
- CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL} - CUSTOM_MCP_PROTOCOL=${CUSTOM_MCP_PROTOCOL}
- HTTP_DENY_LIST=${HTTP_DENY_LIST} - HTTP_DENY_LIST=${HTTP_DENY_LIST}
- TRUST_PROXY=${TRUST_PROXY}
ports: ports:
- '${WORKER_PORT}:${WORKER_PORT}' - '${WORKER_PORT}:${WORKER_PORT}'
healthcheck: healthcheck:

1
packages/server/.env.example
View File

@ -174,6 +174,7 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
# HTTP_DENY_LIST= # HTTP_DENY_LIST=
# CUSTOM_MCP_SECURITY_CHECK=true # CUSTOM_MCP_SECURITY_CHECK=true
# CUSTOM_MCP_PROTOCOL=sse #(stdio | sse) # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
# TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
############################################################################################################ ############################################################################################################

4
packages/server/src/commands/base.ts
View File

@ -77,7 +77,8 @@ export abstract class BaseCommand extends Command {
ENABLE_BULLMQ_DASHBOARD: Flags.string(), ENABLE_BULLMQ_DASHBOARD: Flags.string(),
CUSTOM_MCP_SECURITY_CHECK: Flags.string(), CUSTOM_MCP_SECURITY_CHECK: Flags.string(),
CUSTOM_MCP_PROTOCOL: Flags.string(), CUSTOM_MCP_PROTOCOL: Flags.string(),
HTTP_DENY_LIST: Flags.string() HTTP_DENY_LIST: Flags.string(),
TRUST_PROXY: Flags.string()
} }
protected async stopProcess() { protected async stopProcess() {
@ -210,5 +211,6 @@ export abstract class BaseCommand extends Command {
if (flags.CUSTOM_MCP_SECURITY_CHECK) process.env.CUSTOM_MCP_SECURITY_CHECK = flags.CUSTOM_MCP_SECURITY_CHECK if (flags.CUSTOM_MCP_SECURITY_CHECK) process.env.CUSTOM_MCP_SECURITY_CHECK = flags.CUSTOM_MCP_SECURITY_CHECK
if (flags.CUSTOM_MCP_PROTOCOL) process.env.CUSTOM_MCP_PROTOCOL = flags.CUSTOM_MCP_PROTOCOL if (flags.CUSTOM_MCP_PROTOCOL) process.env.CUSTOM_MCP_PROTOCOL = flags.CUSTOM_MCP_PROTOCOL
if (flags.HTTP_DENY_LIST) process.env.HTTP_DENY_LIST = flags.HTTP_DENY_LIST if (flags.HTTP_DENY_LIST) process.env.HTTP_DENY_LIST = flags.HTTP_DENY_LIST
if (flags.TRUST_PROXY) process.env.TRUST_PROXY = flags.TRUST_PROXY
} }
} }

14
packages/server/src/index.ts
View File

@ -163,7 +163,19 @@ export class App {
this.app.use(express.urlencoded({ limit: flowise_file_size_limit, extended: true })) this.app.use(express.urlencoded({ limit: flowise_file_size_limit, extended: true }))
// Enhanced trust proxy settings for load balancer // Enhanced trust proxy settings for load balancer
this.app.set('trust proxy', true) // Trust all proxies let trustProxy: string | boolean | number | undefined = process.env.TRUST_PROXY
if (typeof trustProxy === 'undefined' || trustProxy.trim() === '' || trustProxy === 'true') {
// Default to trust all proxies
trustProxy = true
} else if (trustProxy === 'false') {
// Disable trust proxy
trustProxy = false
} else if (!isNaN(Number(trustProxy))) {
// Number: Trust specific number of proxies
trustProxy = Number(trustProxy)
}
this.app.set('trust proxy', trustProxy)
// Allow access from specified domains // Allow access from specified domains
this.app.use(cors(getCorsOptions())) this.app.use(cors(getCorsOptions()))