Skip to content

v0.117.0

Latest

Choose a tag to compare

@gesellix gesellix released this 28 Jun 14:31

Noteworthy

  • Behind a reverse proxy, AfterTouch now resolves the client IP from
    X-Forwarded-For only.

    ⚠️ The previous chi RealIP middleware also read X-Real-IP
    and True-Client-IP; those headers are no longer consulted. If
    your reverse proxy only sets X-Real-IP, configure it to set
    X-Forwarded-For instead (for nginx:
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;). This change
    comes with the chi v5.3.0 update, whose new ClientIP middleware closes
    IP-spoofing weaknesses present in the old RealIP. Default LAN and on-device
    deployments are unaffected: without a reverse proxy, trust_forwarded_headers
    defaults off and the peer socket IP is used directly.

  • A hand-authored settings.json is no longer overwritten on first start.
    The service decided "first run" from an empty server_url and would write a
    fresh default settings.json, discarding operator-set keys (for example a
    trust_forwarded_headers you added before the first start while passing
    server_url via the --server-url flag). First run is now detected by the
    absence of settings.json, so an existing file is always preserved; a
    genuinely empty data dir still gets defaults and the volume-not-persisted
    notice.

What's Changed

  • fix(security): migrate chi RealIP → ClientIP (chi v5.3.0) by @gesellix in #538
  • fix(service): don't clobber a hand-authored settings.json on first run by @gesellix in #539
  • docs: move proxy client-IP guidance to the deployment walkthrough by @gesellix in #540

Full Changelog: v0.116.0...v0.117.0