MosswartOverlord/go-services
Erik 5f7b4dcd55 fix(tracker-go): key login rate limiter on X-Real-IP, not spoofable XFF
nginx's X-Forwarded-For is $proxy_add_x_forwarded_for, which only appends
to whatever the client sends — a forged leftmost hop passed straight
through, letting an attacker rotate spoofed values to dodge the 5s login
cooldown. X-Real-IP is set by nginx to $remote_addr on every proxied
location and can't be forged by the client, so key on that instead.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 22:43:43 +02:00
..
compare feat(go-services): Phase 2 ingest — shared Ingestor + shadow consumer 2026-06-24 10:31:15 +02:00
discord-go feat(go-services): discord-go — Go port of discord-rare-monitor 2026-06-24 10:06:59 +02:00
inventory-go fix(inventory-go): restore GET /inventory/{name} (live Inv window was empty) 2026-06-25 21:44:16 +02:00
nginx chore(go-services): ready-to-apply nginx /go/ snippet (user must sudo) 2026-06-24 09:51:25 +02:00
tracker-go fix(tracker-go): key login rate limiter on X-Real-IP, not spoofable XFF 2026-07-04 22:43:43 +02:00
.gitattributes chore(go-services): add .gitattributes (force LF) to stop CRLF churn 2026-06-24 10:07:20 +02:00
docker-compose.cutover.yml feat: Go backend production cutover — website layer, ingest forwarding, alerts, live fixes 2026-06-24 19:46:40 +02:00
docker-compose.go.yml feat: Go backend production cutover — website layer, ingest forwarding, alerts, live fixes 2026-06-24 19:46:40 +02:00