Open davidmytton opened 5 days ago
If the req.ip
is not a global IP, more lookups are attempted, which would reach the fly platform check at https://github.com/arcjet/arcjet-js/blob/main/ip/index.ts#L634
I couldn't use the https://github.com/arcjet/arcjet-js/tree/main/ip package because req.headers is not the expected format:
You need to build ArcjetHeaders with the @arcjet/headers
package, e.g. new ArcjetHeaders(req.headers)
, and pass those to the @arcjet/ip
package.
This case is unusual because req.ip
is a bogon and there is no platform header. Fly-Client-IP
is not set when the request is coming from a health check, so Arcjet errors because the IP is not a public IP.
There's an argument to say that you shouldn't be using Arcjet against health checks, but I think we'll see this with a lot of monitoring & deployment systems.
The current behavior seems correct to me - if we can't determine the public IP then we have to error (unless you can think of a way around it?). So the question is: what is our recommended workaround if you want to have Arcjet run on every endpoint (including the health check)? Bogon check + looking at the user agent?
So the question is: what is our recommended workaround if you want to have Arcjet run on every endpoint (including the health check)?
Why does there need to be a workaround? If decision.isErrored()
it is also decision.isAllowed()
, so the health check will just be allowed. Since this seems that we wouldn't block the health check, is the only problem here that the user is seeing an error log?
Something else related to this: if we can't build characteristics, we should probably just avoid sending to the service at all—and the workaround for that would be to use a different characteristic.
Yeah the errors in the logs are disconcerting, and could be verbose if they're doing regular health checks from multiple locations. This is more about how we improve the DX around this scenario rather than it being a change to how our core functionality works i.e. what's our official recommendation that would go in the docs?
I think:
Do you think anything else needs to be done?
Agreed on both. I've added https://github.com/arcjet/arcjet-docs/issues/96 for the docs.
On Fly.io, the client IP address in
req.ip
provided by Express.js is always an internal IP address e.g.::ffff:172.16.21.10
. This causes the request to be rejected by Arcjet when in production mode.To pass the correct IP, we have to construct a custom request object e.g:
The correct IP can then be detected by Arcjet. I couldn't use the https://github.com/arcjet/arcjet-js/tree/main/ip package because
req.headers
is not the expected format: