feat: enhance middleware and security configurations

kastov · kastov · commit 4d73c992c655 · 2025-05-07T16:00:36.000+03:00
- Added proxyCheckMiddleware to main.ts
diff --git a/src/app.module.ts b/src/app.module.ts
@@ -60,6 +60,9 @@ import { QueueModule } from '@queue/queue.module';
                         configService.getOrThrow<string>('SWAGGER_PATH'),
                         configService.getOrThrow<string>('SCALAR_PATH'),
                     ],
+                    serveStaticOptions: {
+                        dotfiles: 'deny',
+                    },
                 },
             ],
         }),
diff --git a/src/common/middlewares/index.ts b/src/common/middlewares/index.ts
@@ -1,2 +1,3 @@
 export * from './basic-auth.middleware';
 export * from './get-real-ip';
+export * from './proxy-check.middleware';
diff --git a/src/common/middlewares/proxy-check.middleware.ts b/src/common/middlewares/proxy-check.middleware.ts
@@ -0,0 +1,28 @@
+import { NextFunction, Request, Response } from 'express';
+
+import { Logger } from '@nestjs/common';
+
+import { isDevelopment } from '@common/utils/startup-app';
+
+const logger = new Logger('ProxyCheckMiddleware');
+
+export function proxyCheckMiddleware(req: Request, res: Response, next: NextFunction) {
+    if (isDevelopment()) {
+        return next();
+    }
+
+    const isProxy = Boolean(req.headers['x-forwarded-for']);
+    const isHttps = Boolean(req.headers['x-forwarded-proto'] === 'https');
+
+    logger.debug(
+        `X-Forwarded-For: ${req.headers['x-forwarded-for']}, X-Forwarded-Proto: ${req.headers['x-forwarded-proto']}`,
+    );
+
+    if (!isHttps || !isProxy) {
+        res.socket?.destroy();
+        logger.error('Reverse proxy and HTTPS are required.');
+        return false;
+    }
+
+    return next();
+}
diff --git a/src/main.ts b/src/main.ts
@@ -13,9 +13,10 @@ import { ConfigService } from '@nestjs/config';
 import { NestFactory } from '@nestjs/core';
 
 import { getDocs, isDevelopment, isProduction } from '@common/utils/startup-app';
-import { ProxyCheckGuard } from '@common/guards/proxy-check/proxy-check.guard';
+// import { ProxyCheckGuard } from '@common/guards/proxy-check/proxy-check.guard';
 import { getStartMessage } from '@common/utils/startup-app/get-start-message';
 import { getRealIp } from '@common/middlewares/get-real-ip';
+import { proxyCheckMiddleware } from '@common/middlewares';
 import { AxiosService } from '@common/axios';
 
 import { AppModule } from './app.module';
@@ -106,6 +107,8 @@ async function bootstrap(): Promise<void> {
 
     app.setGlobalPrefix(ROOT);
 
+    app.use(proxyCheckMiddleware);
+
     await getDocs(app, config);
 
     app.enableCors({
@@ -116,7 +119,7 @@ async function bootstrap(): Promise<void> {
 
     app.useGlobalPipes(new ZodValidationPipe());
 
-    app.useGlobalGuards(new ProxyCheckGuard({ exclude: [] }));
+    // app.useGlobalGuards(new ProxyCheckGuard({ exclude: [] }));
 
     app.enableShutdownHooks();
 

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`export * from './basic-auth.middleware';`
`2`	`2`	`export * from './get-real-ip';`
	`3`	`+export * from './proxy-check.middleware';`