feat(serve-http): GBRAIN_TRUST_PROXY env var + Supabase deploy docs#817
Open
knee5 wants to merge 1 commit into
Open
feat(serve-http): GBRAIN_TRUST_PROXY env var + Supabase deploy docs#817knee5 wants to merge 1 commit into
knee5 wants to merge 1 commit into
Conversation
When deploying `gbrain serve --http` behind a PaaS load balancer (Fly.io,
Render, Railway, Vercel), Express's default `trust proxy: 'loopback'` is
too restrictive — the real client IP arrives in X-Forwarded-For after one
hop, and rate limiting + `req.secure` detection both need that hop trusted.
Adds GBRAIN_TRUST_PROXY env var. Default behavior unchanged ('loopback').
Set GBRAIN_TRUST_PROXY=1 for single-hop PaaS, or any other valid Express
trust-proxy value (boolean string, IP list, function name, etc).
Also adds a "Supabase Deployment Caveat" section to docs/mcp/DEPLOY.md
covering the common gotchas for external Supabase-backed deployments:
GBRAIN_DISABLE_DIRECT_POOL=1 (direct postgres host unreachable from outside
Supabase VPC), GBRAIN_POOL_SIZE=1 (transaction-pooler safe sizing), pooler
URL on port 6543 (not 5432), and a minimal Fly.io fly.toml example.
Replaces garrytan#759 — that PR also bundled DCR rate limiter changes which landed
independently in master (the v0.31 fix-wave subsumed them), so this is
the focused remainder.
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Closed
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two small changes for
gbrain serve --httpusers deploying behind PaaS load balancers:GBRAIN_TRUST_PROXYenv var —src/commands/serve-http.tsmakes the Express trust-proxy setting configurable. Default unchanged ('loopback'); setGBRAIN_TRUST_PROXY=1for Fly.io/Render/Railway/Vercel where the real client IP arrives after exactly one hop. Required for both rate-limiting (correct client IPs) andreq.securedetection (OAuth flows).Supabase Deployment Caveat docs —
docs/mcp/DEPLOY.mdadds a new section covering the three env vars external Supabase deployments need (GBRAIN_DISABLE_DIRECT_POOL=1,GBRAIN_POOL_SIZE=1,GBRAIN_TRUST_PROXY=1), the pooler URL gotcha (port 6543 not 5432), and a minimal Fly.iofly.tomlexample.Why
Tested against a Supabase-backed brain on a self-hosted VPS. Without these flags + docs, the startup sequence wedges on an IPv6 connect to
db.<project-ref>.supabase.co:5432(unreachable from outside Supabase's VPC), and rate-limiting silently misclassifies clients becauseapp.set('trust proxy', 'loopback')only trusts127.0.0.1. After applying both,gbrain serve --httpruns cleanly.Replaces #759
This is the focused remainder of #759. That PR also bundled DCR
/registerrate-limiter changes; those landed independently via the v0.31 fix-wave (#776 et al). #760 also got incidentally fixed by the same fix-wave (theengine.connect()call you added tophaseBBackfill/phaseCVerifycovers what we'd patched). So #759 is closed and only the trust-proxy + Supabase docs remain — narrower scope, cleaner review.Test plan
tsc --noEmitpassesGBRAIN_TRUST_PROXYis unsetGBRAIN_TRUST_PROXY=1correctly resolves to integer1(not the string)🤖 Generated with Claude Code
Need help on this PR? Tag
@codesmithwith what you need.