From a45b675976e5836e5d2e7641eb3a8ae2f8ba4526 Mon Sep 17 00:00:00 2001 From: Ian Date: Sun, 16 Nov 2014 13:45:20 -0800 Subject: [PATCH] Don't allow IP source to be set via X-Real-IP unless we're behind a load balancer. #30 --- README.md | 6 ++++++ server/app.js | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0443f9e..e9b50e9 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,12 @@ text.send('1119491234567', 'Bonjour!', 'intl', function(err) { ``` +### Usage as a standalone server + +Textbelt can be run as a standalone server with: `node server/app.js`. Be sure to install dependencies first with `npm install`. + +By default, the server listens on port 9090 and is configured to accept traffic from a reverse proxy or load balancer such as nginx. To enable accurate IP rate limiting, the reverse proxy should be configured to set the `X-Real-IP` header. + ### Canadian and International endpoints The /text endpoint supports U.S. phone numbers (and parts of Canada). diff --git a/server/app.js b/server/app.js index a92604d..448b6e4 100644 --- a/server/app.js +++ b/server/app.js @@ -89,7 +89,11 @@ function textRequestHandler(req, res, number, region, key) { res.send({success:false,message:'Sorry, texts to this number are disabled.'}); return; } - var ip = req.header('X-Real-IP') || req.connection.remoteAddress; + + var ip = req.connection.remoteAddress; + if (!ip || ip === '127.0.0.1') { + ip = req.header('X-Real-IP'); + } var message = req.body.message; if (message.indexOf(':') > -1) {