Skip to content

TT-16229 update tyk.conf example#7603

Merged
lghiur merged 1 commit intomasterfrom
TT-16229
Dec 9, 2025
Merged

TT-16229 update tyk.conf example#7603
lghiur merged 1 commit intomasterfrom
TT-16229

Conversation

@sedkis
Copy link
Copy Markdown
Contributor

@sedkis sedkis commented Dec 5, 2025
edited by github-actions bot
Loading

Ticket Details

TT-16229
Status In Code Review
Summary [Innersource] Default secure for new XFF depth config

Generated at: 2025-12-05 13:04:25

@probelabs
Copy link
Copy Markdown
Contributor

probelabs bot commented Dec 5, 2025
edited
Loading

This PR updates the example configuration file tyk.conf.example to include the http_server_options.xff_depth setting with a value of 1.

Files Changed Analysis

  • tyk.conf.example: Modified to add "xff_depth": 1.
    • Additions: 1
    • Deletions: 0

The change is minimal, adding a single configuration key to the example file.

Architecture & Impact Assessment

What this PR accomplishes

This PR makes the xff_depth configuration option more discoverable by adding it to the example configuration file. This setting controls how Tyk determines the client's real IP address from the X-Forwarded-For (XFF) header, which is crucial for rate limiting, analytics, and security policies.

Key technical changes

The introduction of "xff_depth": 1 in the example configuration suggests a default behavior of trusting the last IP address in the XFF header chain. This is a common and secure practice when the gateway is behind a trusted proxy or load balancer that appends the client IP.

  • When xff_depth is 0 (the previous implicit default), Tyk uses the first (leftmost) IP in the XFF header.
  • When xff_depth is 1, Tyk uses the last (rightmost) IP.
  • When xff_depth is N > 1, Tyk uses the Nth IP from the end of the list.

Affected system components

  • Request Processing: The request.RealIP function is directly affected. This function is responsible for identifying the client's IP address.
  • Middleware: Any middleware that relies on the client's IP address will be impacted, including:
    • Rate Limiting
    • Analytics Logging
    • IP-based Access Control

Scope Discovery & Context Expansion

The change is limited to the example configuration file and does not alter any Go code. However, it influences the default behavior for new Tyk Gateway deployments that use this file as a template. The core logic is located in request/real_ip.go, which reads the XFFDepth value from the configuration (config/config.go) to parse the X-Forwarded-For header on incoming HTTP requests.

Metadata
  • Review Effort: 1 / 5
  • Primary Label: documentation

Powered by Visor from Probelabs

Last updated: 2025-12-05T13:05:26.234Z | Triggered by: pr_opened | Commit: 97a51dc

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Copy Markdown
Contributor

probelabs bot commented Dec 5, 2025
edited
Loading

Security Issues (1)

Severity Location Issue
🟡 Warning tyk.conf.example:35
The `xff_depth` setting has been added to the example configuration without comments explaining its function or security implications. This setting controls which IP address is selected from the `X-Forwarded-For` header. Misconfiguring this value can lead to IP address spoofing, potentially allowing attackers to bypass IP-based security controls such as rate limiting or access rules.
💡 SuggestionAdd a comment explaining that `xff_depth` must be set to the number of trusted, non-spoofable proxies between the client and the Tyk gateway. Provide guidance on how to determine the correct value for common deployment scenarios (e.g., behind a single load balancer).

Example comment:
// xff_depth defines how many trusted proxies are in front of Tyk. Set this to the number of proxies to correctly identify the client IP from the X-Forwarded-For header. A common value is 1 when running behind a single load balancer. An incorrect value can lead to IP spoofing.

✅ Architecture Check Passed

No architecture issues found – changes LGTM.

✅ Performance Check Passed

No performance issues found – changes LGTM.

Quality Issues (1)

Severity Location Issue
🟡 Warning tyk.conf.example:35
The `xff_depth` option has been added to the example configuration without a comment explaining its function. This can lead to user confusion, as the choice of which IP to trust from the `X-Forwarded-For` header has security implications. A value of `1` means trusting the last IP in the chain, which is correct for common deployments behind a single trusted proxy.
💡 SuggestionAdd a comment explaining the `xff_depth` setting. For example: `// Determines which IP to trust from the X-Forwarded-For header. A value of 1 selects the last IP, suitable for deployments behind a trusted proxy.`

Powered by Visor from Probelabs

Last updated: 2025-12-05T13:05:28.546Z | Triggered by: pr_opened | Commit: 97a51dc

💡 TIP: You can chat with Visor using /visor ask <your question>

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Dec 5, 2025

API Changes

no api changes detected

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Dec 5, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@lghiur lghiur merged commit 30b4e2f into master Dec 9, 2025
51 of 52 checks passed
@lghiur lghiur deleted the TT-16229 branch December 9, 2025 13:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lghiur lghiur lghiur approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sedkis @lghiur