trustedProxies settingIf you don't use a proxy, feel free to skip to the "I don't use a proxy" section
When using a proxy, all requests appear to come from the proxy server IP address instead of the browser's IP address. This would break functionality like IP banning and rate limiting.
To get around this, proxies set a header like X-Real-IP or X-Forwarded-For with the client's true IP address which NamelessMC can use. However, nothing prevents a regular user from setting this header to forge their IP address. This is why NamelessMC (like all other web software) has a whitelist for source IP addresses that can send these special proxy headers.
Edit core/config.php and add trustedProxies in the core section. The value is an array of networks, for example:
'trustedProxies' => ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']
Set the NAMELESS_TRUSTED_PROXIES environment variable to a comma separated list of networks. For example:
NAMELESS_TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Docker and Docker compose use addresses in the 172.16.0.0/12 range by default. Since these addresses are only for private use, it is safe to whitelist the entire block. If you wish, you may also whitelist your proxy specifically.
Please see: https://www.cloudflare.com/ips/
Below, we provide a list in PHP array format for your convenience. It may be out of date if CloudFlare has added or removed networks since the config sample was written.
'trustedProxies' => ['103.21.244.0/22', '103.22.200.0/22', '103.31.4.0/22', '104.16.0.0/13', '104.24.0.0/14', '108.162.192.0/18', '131.0.72.0/22', '141.101.64.0/18', '162.158.0.0/15', '172.64.0.0/13', '173.245.48.0/20', '188.114.96.0/20', '190.93.240.0/20', '197.234.240.0/22', '198.41.128.0/17']
Simply configure trustedProxies with an empty list. So, change from:
'trustedProxies' => null
to:
'trustedProxies' => []
null means unconfigured (with warning), [] means no proxies should be trusted.
Trusting all IP addresses as proxies is dangerous. This allows users to pretend like they're from different IP addresses, bypassing bans and rate limits. Only use for testing purposes!
To allow proxy headers from all addresses:
'trustedProxies' => ['0.0.0.0/0']
IPv6 support is unknown. Please report back if you test it.
For origin IP address:
X-Real-IP (used verbatim)CF-Connecting-IP (used verbatim)X-Forwarded-For (parsed for a list of addresses, then only the first non-trusted address from the right is used)Forwarded (parsed for a list of addresses, then only the first non-trusted address from the right is used)For protocol:
X-Forwarded-Proto (used verbatim)For port:
X-Forwarded-Port (used verbatim)