fix: enable real client IP extraction for load balancing behind rever…

[PythonFZ]

…se proxy

When deployed behind another reverse proxy (npm, traefik, etc.), the nginx ip_hash directive was seeing the proxy's IP for all clients, routing all traffic to a single backend replica.

This change configures nginx to extract the real client IP from the X-Forwarded-For header, enabling proper load distribution across all replicas while maintaining sticky sessions per client.

Summary by CodeRabbit

• Chores
  • Updated production infrastructure configuration to improve IP address extraction and validation, ensuring accurate client IP identification and enhanced security safeguards for proxy connections.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Nginx configuration updated to extract real client IP addresses from X-Forwarded-For headers within the http context, including proxy trust settings and recursive IP processing, while retaining the existing upstream server configuration with sticky sessions via ip_hash.

Changes

Cohort / File(s)	Change Summary
Nginx HTTP Configuration docker/production/nginx.conf	Added real IP extraction directives (set_real_ip_from, real_ip_header, real_ip_recursive) to properly identify client source IPs when behind proxies; includes security documentation about spoofing risks and proxy trust configuration

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 In reverse proxies we hop and bound,
Real IPs now trustfully found,
X-Forwarded-For headers we read,
With recursive hops, client truth spread! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change—enabling real client IP extraction for load balancing behind reverse proxies—which directly addresses the changeset's focus on nginx configuration modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

🧹 Recent nitpick comments

docker/production/nginx.conf (1)

25-31: Security trade-off with 0.0.0.0/0 is documented but worth hardening if possible.

The warning comments are appreciated. However, set_real_ip_from 0.0.0.0/0 trusts any source to set X-Forwarded-For, which means a misconfiguration exposing nginx directly would allow IP spoofing.

If the upstream proxy runs on a known network (e.g., Docker bridge), consider restricting to that CIDR:

set_real_ip_from 172.16.0.0/12;  # Docker default bridge range
set_real_ip_from 10.0.0.0/8;     # Common internal range

Additionally, IPv6 is not covered. If IPv6 traffic is expected, add:

set_real_ip_from ::/0;  # or specific IPv6 ranges

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9617d98 and 00d22d0.

📒 Files selected for processing (1)

• docker/production/nginx.conf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: pytest (3.11, ubuntu-latest)
• GitHub Check: pytest (3.12, ubuntu-latest)
• GitHub Check: pytest (3.13, ubuntu-latest)

🔇 Additional comments (2)

docker/production/nginx.conf (2)

33-38: LGTM!

The comment accurately documents that ip_hash will now use the extracted real client IP, which achieves the intended fix for sticky session routing behind reverse proxies.

---

64-65: Headers correctly propagate the extracted client IP.

After real_ip processing, $remote_addr reflects the real client IP, so X-Real-IP and X-Forwarded-For headers sent to the backend will contain the correct client address.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.04%. Comparing base (9617d98) to head (00d22d0).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #859   +/-   ##
=======================================
  Coverage   80.04%   80.04%           
=======================================
  Files         165      165           
  Lines       20131    20131           
=======================================
  Hits        16114    16114           
  Misses       4017     4017           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.