Reverse Proxy
The reverse proxy must overwrite the real client IP so HubProxy can rate-limit per user and resist IP spoofing.
example.com { reverse_proxy 127.0.0.1:5000 { header_up X-Real-IP {remote} header_up X-Forwarded-For {remote} header_up X-Forwarded-Proto {scheme} header_up X-Forwarded-Host {host} }}Behind Cloudflare
Section titled “Behind Cloudflare”example.com { reverse_proxy 127.0.0.1:5000 { header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} header_up X-Real-IP {http.request.header.CF-Connecting-IP} header_up X-Forwarded-Proto https header_up X-Forwarded-Host {host} }}location / { proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme;}GitHub acceleration shows “invalid input”
Section titled “GitHub acceleration shows “invalid input””If GitHub acceleration fails behind Nginx, check proxy_set_header Host per issue #62.
How It Works
Section titled “How It Works”HubProxy only trusts forwarding headers when the TCP connection comes from trusted private/local ranges:
127.0.0.0/810.0.0.0/8172.16.0.0/12192.168.0.0/16
See IP Trust for details.