fix(nginx): correct real_ip_header typo X-Forward-For → X-Forwarded-For

[MinitJain]

Description

Fixes #8934

All three nginx configs had a typo in the real_ip_header directive — X-Forward-For instead of the standard X-Forwarded-For. X-Forward-For is not a real HTTP header, so Nginx silently ignored the directive and never replaced $remote_addr with the actual client IP.

Changes:

• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/web/nginx/nginx.conf
• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/admin/nginx/nginx.conf
• Fixed real_ip_header X-Forward-For → real_ip_header X-Forwarded-For in apps/space/nginx/nginx.conf

One character added in 3 files, nothing else.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Test Scenarios

1. Deploy behind a proxy or CDN that sets X-Forwarded-For
2. Verify Nginx logs show the real client IP, not the proxy IP
3. Verify rate limiting applies per real client IP, not per proxy

References

Closes #8934

Summary by CodeRabbit

• Bug Fixes
  • Updated server configurations across admin, space, and web applications to correctly identify real client IP addresses from incoming proxy headers. These changes standardize IP detection behavior across the platform, fixing inconsistencies and ensuring accurate and reliable client identification. All services now consistently process client IP information in a uniform manner.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request corrects a typo across three Nginx configuration files. The real_ip_header directive in each file is being changed from the non-standard X-Forward-For to the correct HTTP header name X-Forwarded-For, enabling proper real client IP extraction when behind proxies.

Changes

Cohort / File(s)	Summary
Nginx Real-IP Header Typo Fix apps/admin/nginx/nginx.conf, apps/space/nginx/nginx.conf, apps/web/nginx/nginx.conf	Corrected real_ip_header directive from non-standard X-Forward-For to standard X-Forwarded-For header name for proper real client IP extraction behind proxies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop, a skip, a typo squashed with care,
X-Forward-For → X-Forwarded-For in the air,
Now proxies forward truthfully, no more strife,
Real IPs shine bright in the Nginx life! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: correcting a typo in the Nginx real_ip_header directive from X-Forward-For to X-Forwarded-For across three configuration files.
Description check	✅ Passed	The PR description is well-structured, follows the template with all major sections completed, clearly explains the bug and fix, and provides specific test scenarios.
Linked Issues check	✅ Passed	The PR fully addresses all coding requirements from issue #8934: corrects the typo in all three Nginx config files (apps/web, apps/admin, apps/space) from X-Forward-For to X-Forwarded-For, enabling proper real IP extraction.
Out of Scope Changes check	✅ Passed	All changes are directly in scope: only the typo correction in the real_ip_header directive across three Nginx config files is modified, with no extraneous changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/space/nginx/nginx.conf`:
- Around line 12-15: The configuration currently uses set_real_ip_from 0.0.0.0/0
with real_ip_header X-Forwarded-For, which allows IP spoofing and defeats
limit_req_zone using $binary_remote_addr and $remote_addr; replace the wildcard
trust with the actual proxy/CDN/load-balancer CIDR ranges (or make
set_real_ip_from values configurable) so only trusted upstreams can set
X-Forwarded-For, and document the behavior if you must accept arbitrary sources;
update the same change in the other nginx.conf files that use set_real_ip_from,
real_ip_header, and limit_req_zone to ensure rate limits and logs remain
reliable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8782b2aa-8b26-4e35-80b3-049ca833e2ae

📥 Commits

Reviewing files that changed from the base of the PR and between 32fb88a and 67ef8f5.

📒 Files selected for processing (3)

• apps/admin/nginx/nginx.conf
• apps/space/nginx/nginx.conf
• apps/web/nginx/nginx.conf

[MinitJain]

@coderabbitai set_real_ip_from 0.0.0.0/0 is pre-existing and predates this PR — this PR only fixes the real_ip_header typo. The wildcard trust range is deployment-specific (correct CIDR depends on whether the user is behind Cloudflare, AWS ELB, custom proxy, etc.) and should be addressed separately as a configurable value per deployment.

[coderabbitai]

Only users with a collaborator, contributor, member, or owner role can interact with CodeRabbit.

[sriramveeraghanta]

The change correctly fixes the real_ip_header directive from the non-standard X-Forward-For to the standard X-Forwarded-For header name across all three nginx configs (admin, space, web), applied consistently. The typo had been silently disabling real_ip_header, so this fix makes set_real_ip_from and IP-based rate limiting actually take effect.

Note (not blocking): the pre-existing set_real_ip_from 0.0.0.0/0 directive immediately above the changed line trusts every client, which means once this fix lands the real client IP can be spoofed via the X-Forwarded-For header. Worth restricting set_real_ip_from to trusted proxy/CDN CIDRs in a follow-up — but that is a pre-existing config concern, not introduced by this PR.