Rate Limiter instant blocking

andreas.voraberger · March 31, 2026, 11:52am

Hi guys,

we are relatively new to wappler and just launched our first app live. we use redis and it is working.

our problem is, that the rate limiter which should provide the user from registering more than one time within an hour, throws even if not activated. i already did some digging and found that in my redis cache is only 1 rate limiter with key: "ac:RegisterLimiter::::ffff:127.0.0.1"

we are behind a nginx proxy. but we have the following enabled:

        # Proxy Headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

i think the rate limiter maybe thinks that everything is coming from the same ip address 127.0.0.1 and therefore it blocks.

i saw that in other nodeJs environments it is common to set "trustProxy": true in this case.

please give me an advice.

BR Andreas Voraberger

[EDIT]: just examined the value after another registration. it increases. but for sure nobody from directly 127.0.0.1 did register. it is configured, that the rate limiter increases by 200 for every registration. so the problem is indeed exactly what i described. how to tell the rateLimiter to use one of the X_HEADERS ? or which X_HEADER to set in nginx?

me@WJFrontendNbg:~$ redis-cli -a XYZ -n 0 GET "ac:RegisterLimiter::::ffff:127.0.0.1"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
"400"
me@WJFrontendNbg:~$ redis-cli -a XYZ -n 0 GET "ac:RegisterLimiter::::ffff:127.0.0.1"
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
"600"

patrick · March 31, 2026, 2:14pm

We assume always that the server is running after a reverse proxy, so the trustProxy is always set.

You can check the file lib/server.js line 23 should have:

app.set('trust proxy', true);

The rateLimiter middleware is configured in lib/core/middleware.js, it uses req.ip for the key. With trustProxy set to true it should get the IP from the left-most entry in the X-Forwarded-For header.

Express behind proxies

Normally this works fine with this config behind a proxy. Perhaps inspect the headers received in NodeJS, you could create a simple server action and output the $_SERVER to inspect the http headers.

andreas.voraberger · April 11, 2026, 8:23am

hi patrick, thank you. i am still on other more important problems. will come back later and answer if its working

andreas.voraberger · April 15, 2026, 10:08am

you were right, no wappler bug.

the problem was: my proxy_set_header configurations were basically in the main nginx config.

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

BUT: in my location configurations I had

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

which is a nginx speciality: if you have in the location just one proxy_set_header → all other proxy_set_header from http block and so on are removed.

solution:

i now defined everything in the location block.

thx for your help.