ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default).

[kbhagi]

In which file did you encounter the issue?

https://github.com/GoogleCloudPlatform/nodejs-docs-samples/blob/main/run/filesystem/index.js

Did you change the file? If so, how?

No, happy to raise a PR.

Describe the issue

Following the https://cloud.google.com/run/docs/tutorials/network-filesystems-filestore#before-you-begin created a Cloud Run service with VPC connector and Filestore.

Making an authenticated HTTP POST request from a VM probably behind a proxy to this Cloud Run app URL resulted in an HTTP 302 with a error logged to the Cloud Logging.

ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information.
    at Object.xForwardedForHeader (/app/node_modules/express-rate-limit/dist/index.cjs:166:13)
    at wrappedValidations.<computed> [as xForwardedForHeader] (/app/node_modules/express-rate-limit/dist/index.cjs:324:22)
    at Object.keyGenerator (/app/node_modules/express-rate-limit/dist/index.cjs:579:20)

CURL request and response

$ curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" https://xxxxxx.run.app -vvi
*   Trying 216.239.32.53:443...
* Connected to XXXXX.run.app (216.239.32.53) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.a.run.app
*  start date: Nov 20 08:02:20 2023 GMT
*  expire date: Feb 12 08:02:19 2024 GMT
*  subjectAltName: host "XXXXX.a.run.app" matched cert's "*.a.run.app"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://XXXXX.a.run.app/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: XXXXXl.a.run.app]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.3.0]
* [HTTP/2] [1] [accept: */*]
* [HTTP/2] [1] [authorization: Bearer eXXXXXX
> GET / HTTP/2
> Host: XXXXX-el.a.run.app
> User-Agent: curl/8.3.0
> Accept: */*
> Authorization: Bearer XXXXX
> 
< HTTP/2 302 
HTTP/2 302 
< x-powered-by: Express
x-powered-by: Express
< x-ratelimit-limit: 100
x-ratelimit-limit: 100
< x-ratelimit-remaining: 97
x-ratelimit-remaining: 97
< x-ratelimit-reset: 1702213958
x-ratelimit-reset: 1702213958
< location: /mnt/nfs/filestore
location: /mnt/nfs/filestore
< vary: Accept
vary: Accept
< content-type: text/plain; charset=utf-8
content-type: text/plain; charset=utf-8
< x-cloud-trace-context: XXXXXa2ed;o=1
x-cloud-trace-context: XXXXXd;o=1
< date: Sun, 10 Dec 2023 12:59:43 GMT
date: Sun, 10 Dec 2023 12:59:43 GMT
< server: Google Frontend
server: Google Frontend
< content-length: 40
content-length: 40

< 
* Connection #0 to host filesystem-app-uplgjpifoa-el.a.run.app left intact

• It happened first time out out of 4 requests being made
• 2nd, 3rd and 4th requests lead to a empty response
• 5th request resulted in the expected output Found. Redirecting to /mnt/nfs/filestore .

Fix: https://github.com/express-rate-limit/express-rate-limit/wiki/Troubleshooting-Proxy-Issues
https://express-rate-limit.mintlify.app/reference/error-codes#err-erl-unexpected-x-forwarded-for

[glasnt]

(googlers: conversation in associated b/)

[glasnt]

Summary of discussion:

• The ValidationError is non-blocking, app will throw this error once in tutorial-defined operation (a simple browser get), but does not effect sample functionality.
• Configuring the trust proxy option to enumerate the proxy conditions set in Cloud Run (1) eliminates this error, updates configuration as suggested by https://github.com/express-rate-limit/express-rate-limit/wiki/Troubleshooting-Proxy-Issues.

I'll submit a PR to resolve this.