feat: add trust proxy support for correct IP logging behind reverse proxies (v2.7.6)

- Add TRUST_PROXY environment variable to enable proxy header trust - Configure Express trust proxy in both HTTP server implementations - Fix issue #19: Docker internal IPs logged instead of real client IPs - Update documentation with reverse proxy configuration guide - Add examples for nginx proxy header forwarding - Maintain backward compatibility (disabled by default) When TRUST_PROXY=1 is set, the server will correctly log client IPs from X-Forwarded-For headers instead of proxy/container IPs. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-06 20:20:06 +02:00
parent 2a5c4ec6eb
commit 657d8c6088
6 changed files with 69 additions and 3 deletions
--- a/.env.example
+++ b/.env.example
@@ -53,6 +53,12 @@ AUTH_TOKEN=your-secure-token-here
 # For production, set to your specific domain
 # CORS_ORIGIN=https://your-client-domain.com

+# Trust proxy configuration for correct IP logging (0=disabled, 1=trust first proxy)
+# Set to 1 when running behind a reverse proxy (Nginx, Traefik, etc.)
+# Set to the number of proxy hops if behind multiple proxies
+# Default: 0 (disabled)
+# TRUST_PROXY=0
+
 # =========================
 # N8N API CONFIGURATION
 # =========================
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -6,7 +6,14 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co

 n8n-mcp is a comprehensive documentation and knowledge server that provides AI assistants with complete access to n8n node information through the Model Context Protocol (MCP). It serves as a bridge between n8n's workflow automation platform and AI models, enabling them to understand and work with n8n nodes effectively.

-## ✅ Latest Updates (v2.7.5)
+## ✅ Latest Updates (v2.7.6)
+
+### Update (v2.7.6) - Trust Proxy Support for Correct IP Logging:
+- ✅ **NEW: TRUST_PROXY support** - Log real client IPs when behind reverse proxy
+- ✅ **FIXED: Issue #19** - Docker internal IPs no longer logged when proxy configured
+- ✅ **ENHANCED: HTTP deployment** - Better nginx/proxy configuration documentation
+- ✅ **FLEXIBLE: Proxy hop configuration** - Support for single or multiple proxy layers
+- ✅ **BACKWARD COMPATIBLE**: Defaults to current behavior when not configured

 ### Update (v2.7.5) - AUTH_TOKEN_FILE Support & Known Issues:
 - ✅ **NEW: AUTH_TOKEN_FILE support** - Read authentication token from file (Docker secrets compatible)
@@ -480,6 +487,10 @@ NODE_ENV=development
 PORT=3000
 AUTH_TOKEN=your-secure-token

+# Trust proxy for correct IP logging (optional)
+# Set to 1 when behind a reverse proxy (Nginx, etc.)
+TRUST_PROXY=0
+
 # MCP Configuration  
 MCP_SERVER_NAME=n8n-documentation-mcp
 MCP_SERVER_VERSION=1.0.0
--- a/docs/HTTP_DEPLOYMENT.md
+++ b/docs/HTTP_DEPLOYMENT.md
@@ -2,7 +2,7 @@

 Deploy n8n-MCP as a remote HTTP server to provide n8n knowledge to Claude from anywhere.

-📌 **Latest Version**: v2.7.2 (includes fix for n8n management tools in Docker, updated documentation)
+📌 **Latest Version**: v2.7.6 (includes trust proxy support for correct IP logging behind reverse proxies)

 ## 🎯 Overview

@@ -150,6 +150,7 @@ Skip HTTP entirely and use stdio mode directly:
 | `HOST` | Bind address | `0.0.0.0` |
 | `LOG_LEVEL` | Log verbosity | `info` |
 | `NODE_ENV` | Environment | `production` |
+| `TRUST_PROXY` | Trust proxy headers for correct IP logging | `0` |

 ### n8n Management Tools (Optional)

@@ -197,6 +198,35 @@ When configured, you get **16 additional tools** (total: 38 tools):

 ⚠️ **Security Note**: Store API keys securely and never commit them to version control.

+## 🌐 Reverse Proxy Configuration
+
+### Trust Proxy for Correct IP Logging
+
+When running n8n-MCP behind a reverse proxy (Nginx, Traefik, etc.), enable trust proxy to log real client IPs instead of proxy IPs:
+
+```bash
+# Enable trust proxy in your environment
+TRUST_PROXY=1  # Trust 1 proxy hop (standard setup)
+# or
+TRUST_PROXY=2  # Trust 2 proxy hops (CDN → Load Balancer → n8n-mcp)
+```
+
+**Without TRUST_PROXY:**
+```
+[INFO] GET /health { ip: '172.19.0.2' }  # Docker internal IP
+```
+
+**With TRUST_PROXY=1:**
+```
+[INFO] GET /health { ip: '203.0.113.1' }  # Real client IP
+```
+
+This is especially important when:
+- Running in Docker/Kubernetes
+- Using load balancers
+- Debugging client issues
+- Implementing rate limiting
+
 ## 🔐 Security Setup

 ### Authentication
@@ -225,6 +255,10 @@ server {
    location /mcp {
        proxy_pass http://localhost:3000;
        proxy_set_header Authorization $http_authorization;
+        # Important: Forward client IP headers
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
    }
 }
 ```
@@ -343,6 +377,7 @@ services:
      AUTH_TOKEN: ${AUTH_TOKEN:?AUTH_TOKEN required}
      NODE_ENV: production
      LOG_LEVEL: info
+      TRUST_PROXY: 1  # Enable if behind reverse proxy
      # Optional: Enable n8n management tools
      # N8N_API_URL: ${N8N_API_URL}
      # N8N_API_KEY: ${N8N_API_KEY}
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "n8n-mcp",
-  "version": "2.7.5",
+  "version": "2.7.6",
  "description": "Integration between n8n workflow automation and Model Context Protocol (MCP)",
  "main": "dist/index.js",
  "scripts": {
--- a/src/http-server-single-session.ts
+++ b/src/http-server-single-session.ts
@@ -154,6 +154,13 @@ export class SingleSessionHTTPServer {
  async start(): Promise<void> {
    const app = express();
    
+    // Configure trust proxy for correct IP logging behind reverse proxies
+    const trustProxy = process.env.TRUST_PROXY ? Number(process.env.TRUST_PROXY) : 0;
+    if (trustProxy > 0) {
+      app.set('trust proxy', trustProxy);
+      logger.info(`Trust proxy enabled with ${trustProxy} hop(s)`);
+    }
+    
    // DON'T use any body parser globally - StreamableHTTPServerTransport needs raw stream
    // Only use JSON parser for specific endpoints that need it
    
--- a/src/http-server.ts
+++ b/src/http-server.ts
@@ -95,6 +95,13 @@ export async function startFixedHTTPServer() {
  
  const app = express();
  
+  // Configure trust proxy for correct IP logging behind reverse proxies
+  const trustProxy = process.env.TRUST_PROXY ? Number(process.env.TRUST_PROXY) : 0;
+  if (trustProxy > 0) {
+    app.set('trust proxy', trustProxy);
+    logger.info(`Trust proxy enabled with ${trustProxy} hop(s)`);
+  }
+  
  // CRITICAL: Don't use any body parser - StreamableHTTPServerTransport needs raw stream
  
  // Security headers