fix(security): harden IP allowlist against XFF bypass and spoofing (#3)

Hardens the IP allowlist in require_auth against the two bypasses filed in #3. 1. Bypass via missing X-Forwarded-For (no IP to check, allowlist skipped). 2. Spoofing via attacker-controlled X-Forwarded-For (header trusted unconditionally). Resolves both by deriving the client IP from the socket peer (ConnectInfo<SocketAddr>) and only honoring X-Forwarded-For when the immediate peer is in a new security.trusted_proxies allowlist (default empty = strict). Fails closed with 403 forbidden_ip when a non-empty allowlist is configured and the client IP cannot be determined. Empty ip_whitelist continues to mean allow all (preserved for dev installs). 27 pm-auth tests pass (12 new resolver + 8 new middleware + 7 existing). Spec: tasks/ip-allowlist-spec.md.
2026-06-02 18:06:43 -05:00
parent 8873b2c70c
commit 3bdae4bcc5
11 changed files with 990 additions and 17 deletions
--- a/crates/pm-auth/Cargo.toml
+++ b/crates/pm-auth/Cargo.toml
@ -27,3 +27,6 @@ hex = { workspace = true }
 ipnet = { workspace = true }
 parking_lot = "0.12"
 sha2 = { workspace = true }
+
+[dev-dependencies]
+tower = { version = "0.5", features = ["util"] }
--- a/crates/pm-auth/src/rbac.rs
+++ b/crates/pm-auth/src/rbac.rs
@ -7,7 +7,7 @@
 //! - IP whitelist enforcement

 use axum::{
-    extract::Request,
+    extract::{ConnectInfo, Request},
    http::{HeaderMap, StatusCode},
    middleware::Next,
    response::{IntoResponse, Json, Response},
@ -15,7 +15,7 @@ use axum::{
 use ipnet::IpNet;
 use parking_lot::RwLock;
 use serde_json::json;
-use std::net::IpAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::str::FromStr;
 use std::sync::Arc;
 use uuid::Uuid;
@ -76,18 +76,30 @@ pub struct AuthConfig {
    pub verify_key_pem: String,
    /// IP whitelist (empty = allow all). RwLock for runtime updates.
    pub ip_whitelist: Arc<RwLock<Vec<IpNet>>>,
+    /// Trusted reverse-proxy CIDRs (empty = do not trust `X-Forwarded-For`).
+    /// RwLock for runtime updates (symmetric to `ip_whitelist`).
+    pub trusted_proxies: Arc<RwLock<Vec<IpNet>>>,
 }

 impl AuthConfig {
-    pub fn new(verify_key_pem: String, ip_whitelist_cidrs: &[String]) -> Self {
+    pub fn new(
+        verify_key_pem: String,
+        ip_whitelist_cidrs: &[String],
+        trusted_proxy_cidrs: &[String],
+    ) -> Self {
        let ip_whitelist = ip_whitelist_cidrs
            .iter()
            .filter_map(|cidr| IpNet::from_str(cidr).ok())
            .collect();
+        let trusted_proxies = trusted_proxy_cidrs
+            .iter()
+            .filter_map(|cidr| IpNet::from_str(cidr).ok())
+            .collect();

        Self {
            verify_key_pem,
            ip_whitelist: Arc::new(RwLock::new(ip_whitelist)),
+            trusted_proxies: Arc::new(RwLock::new(trusted_proxies)),
        }
    }

@ -111,6 +123,18 @@ impl AuthConfig {
        *self.ip_whitelist.write() = nets;
        tracing::info!(count, "IP whitelist updated at runtime");
    }
+
+    /// Update the trusted-proxy list at runtime without restart.
+    /// Empty list = strict mode (ignore `X-Forwarded-For`).
+    pub fn update_trusted_proxies(&self, entries: Vec<String>) {
+        let nets: Vec<IpNet> = entries
+            .iter()
+            .filter_map(|cidr| IpNet::from_str(cidr).ok())
+            .collect();
+        let count = nets.len();
+        *self.trusted_proxies.write() = nets;
+        tracing::info!(count, "Trusted proxies updated at runtime");
+    }
 }

 /// Extract `Authorization: Bearer <token>` from request headers.
@ -121,13 +145,38 @@ fn extract_bearer_token(headers: &HeaderMap) -> Option<&str> {
        .and_then(|s| s.strip_prefix("Bearer "))
 }

-/// Extract the remote IP from `X-Forwarded-For`.
-fn extract_remote_ip(headers: &HeaderMap) -> Option<IpAddr> {
-    headers
-        .get("x-forwarded-for")
-        .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.split(',').next())
-        .and_then(|s| s.trim().parse().ok())
+/// Determine the client IP used for IP-allowlist enforcement.
+///
+/// Resolution rules (per `tasks/ip-allowlist-spec.md` §4.1):
+/// 1. Start with the socket peer IP.
+/// 2. If `trusted_proxies` is non-empty **and** the socket peer is in
+///    `trusted_proxies`, parse the leftmost entry of the `X-Forwarded-For`
+///    header and use it (the immediate untrusted hop).
+/// 3. If parsing `X-Forwarded-For` fails or the header is missing, fall back
+///    to the socket peer IP.
+/// 4. If the socket peer is unknown (no `ConnectInfo<SocketAddr>` is
+///    available on the request), return `None` so the caller can apply
+///    fail-closed logic when the allowlist is non-empty.
+fn resolve_client_ip(
+    headers: &HeaderMap,
+    peer: Option<IpAddr>,
+    trusted_proxies: &[IpNet],
+) -> Option<IpAddr> {
+    let peer_ip = peer?;
+
+    if !trusted_proxies.is_empty() && trusted_proxies.iter().any(|net| net.contains(&peer_ip)) {
+        if let Some(xff) = headers.get("x-forwarded-for").and_then(|v| v.to_str().ok()) {
+            if let Some(ip) = xff
+                .split(',')
+                .next()
+                .and_then(|s| s.trim().parse::<IpAddr>().ok())
+            {
+                return Some(ip);
+            }
+        }
+    }
+
+    Some(peer_ip)
 }

 /// Unauthorized JSON response helper.
@ -148,16 +197,65 @@ fn forbidden(message: &str) -> Response {
        .into_response()
 }

+/// Forbidden-by-IP response helper. Distinct error code (`forbidden_ip`) so
+/// callers can distinguish an IP-allowlist rejection from a role-based
+/// rejection. Used by `require_auth` after the IP-resolution failure or
+/// allowlist miss per `tasks/ip-allowlist-spec.md` §4.2.
+fn forbidden_ip(message: &str) -> Response {
+    (
+        StatusCode::FORBIDDEN,
+        Json(json!({ "error": { "code": "forbidden_ip", "message": message } })),
+    )
+        .into_response()
+}
+
 /// Middleware: authenticate any valid JWT (admin or operator).
 ///
 /// Inserts `AuthUser` into request extensions on success.
 /// Rejects with 401 if token is missing/invalid, 403 if IP is blocked.
 pub async fn require_auth(auth_config: Arc<AuthConfig>, mut req: Request, next: Next) -> Response {
-    // IP whitelist check
-    if let Some(ip) = extract_remote_ip(req.headers()) {
-        if !auth_config.is_ip_allowed(&ip) {
-            tracing::warn!(ip = %ip, "Request blocked by IP whitelist");
-            return forbidden("Access denied");
+    // IP whitelist check. Only enforced when the configured allowlist is
+    // non-empty (Q4 sign-off: empty list = allow all, preserved for dev
+    // installs). When enforced, the resolved client IP comes from
+    // `resolve_client_ip`, which uses the socket peer IP by default and
+    // honors `X-Forwarded-For` only when the immediate peer is in
+    // `trusted_proxies` (Q1 sign-off: strict default, Q2 sign-off: same
+    // resolution pattern as the rate-limiter). Fail-closed when the IP
+    // cannot be determined (Q3 sign-off).
+    //
+    // See `tasks/ip-allowlist-spec.md` §4.2 for the full design.
+    if !auth_config.ip_whitelist.read().is_empty() {
+        let headers = req.headers().clone();
+        let peer: Option<IpAddr> = req
+            .extensions()
+            .get::<ConnectInfo<SocketAddr>>()
+            .map(|ci| ci.0.ip());
+        let xff_present = headers.contains_key("x-forwarded-for");
+        let trusted: Vec<IpNet> = auth_config.trusted_proxies.read().clone();
+        let resolved = resolve_client_ip(&headers, peer, &trusted);
+
+        match resolved {
+            None => {
+                tracing::warn!(
+                    peer = ?peer,
+                    xff_present,
+                    reason = "unresolvable_client_ip",
+                    "Request denied by IP whitelist (fail-closed: no ConnectInfo<SocketAddr>)"
+                );
+                return forbidden_ip("Client IP could not be determined");
+            },
+            Some(ip) => {
+                if !auth_config.is_ip_allowed(&ip) {
+                    tracing::warn!(
+                        client_ip = %ip,
+                        peer = ?peer,
+                        xff_present,
+                        reason = "ip_not_in_allowlist",
+                        "Request blocked by IP whitelist"
+                    );
+                    return forbidden_ip("Access denied");
+                }
+            },
        }
    }

@ -230,3 +328,342 @@ where
            .ok_or_else(|| unauthorized("Authentication required"))
    }
 }
+
+#[cfg(test)]
+mod tests {
+    //! Unit tests for the IP-allowlist resolver helper.
+    //!
+    //! Covers the matrix in `tasks/ip-allowlist-spec.md` §6.1
+    //! (12 cases for `resolve_client_ip`).
+
+    use super::*;
+    use std::net::IpAddr;
+    use std::str::FromStr;
+
+    fn ip(s: &str) -> IpAddr {
+        IpAddr::from_str(s).expect("test fixture: parse IP")
+    }
+
+    fn net(s: &str) -> IpNet {
+        IpNet::from_str(s).expect("test fixture: parse CIDR")
+    }
+
+    fn hdr() -> HeaderMap {
+        HeaderMap::new()
+    }
+
+    fn hdr_with_xff(xff: &str) -> HeaderMap {
+        let mut h = HeaderMap::new();
+        h.insert(
+            "x-forwarded-for",
+            xff.parse().expect("test fixture: xff header"),
+        );
+        h
+    }
+
+    // 1. peer_only_no_xff — no XFF, trusted_proxies empty → returns peer
+    #[test]
+    fn peer_only_no_xff() {
+        let result = resolve_client_ip(&hdr(), Some(ip("203.0.113.10")), &[]);
+        assert_eq!(result, Some(ip("203.0.113.10")));
+    }
+
+    // 2. peer_only_xff_untrusted — XFF set, peer not in trusted_proxies,
+    //    trusted_proxies non-empty → returns peer (XFF ignored)
+    #[test]
+    fn peer_only_xff_untrusted() {
+        let headers = hdr_with_xff("198.51.100.5");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("203.0.113.10")), &trusted);
+        assert_eq!(result, Some(ip("203.0.113.10")));
+    }
+
+    // 3. peer_only_trusted_proxies_empty_xff_present — XFF set,
+    //    trusted_proxies empty → returns peer (strict default)
+    #[test]
+    fn peer_only_trusted_proxies_empty_xff_present() {
+        let headers = hdr_with_xff("198.51.100.5");
+        let result = resolve_client_ip(&headers, Some(ip("203.0.113.10")), &[]);
+        assert_eq!(result, Some(ip("203.0.113.10")));
+    }
+
+    // 4. xff_trusted_peer_in_list — XFF set, peer in trusted_proxies
+    //    → returns parsed leftmost XFF entry
+    #[test]
+    fn xff_trusted_peer_in_list() {
+        let headers = hdr_with_xff("198.51.100.5");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("198.51.100.5")));
+    }
+
+    // 5. xff_trusted_peer_in_list_malformed_xff — XFF unparseable,
+    //    peer in trusted_proxies → falls back to peer
+    #[test]
+    fn xff_trusted_peer_in_list_malformed_xff() {
+        let headers = hdr_with_xff("not-an-ip");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("10.0.0.5")));
+    }
+
+    // 6. xff_trusted_peer_in_list_empty_xff — XFF empty string,
+    //    peer in trusted_proxies → falls back to peer
+    #[test]
+    fn xff_trusted_peer_in_list_empty_xff() {
+        let headers = hdr_with_xff("");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("10.0.0.5")));
+    }
+
+    // 7. xff_trusted_peer_in_list_multi_hop — "1.2.3.4, 5.6.7.8"
+    //    with peer in trusted_proxies → returns 1.2.3.4 (leftmost)
+    #[test]
+    fn xff_trusted_peer_in_list_multi_hop() {
+        let headers = hdr_with_xff("1.2.3.4, 5.6.7.8");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("1.2.3.4")));
+    }
+
+    // 8. no_peer_no_xff — peer None, no XFF → returns None
+    #[test]
+    fn no_peer_no_xff() {
+        let result = resolve_client_ip(&hdr(), None, &[net("10.0.0.0/8")]);
+        assert_eq!(result, None);
+    }
+
+    // 9. no_peer_xff_untrusted — peer None, XFF set, trusted_proxies empty
+    //    → returns None (caller fails closed)
+    #[test]
+    fn no_peer_xff_untrusted() {
+        let headers = hdr_with_xff("198.51.100.5");
+        let result = resolve_client_ip(&headers, None, &[]);
+        assert_eq!(result, None);
+    }
+
+    // 10. xff_trusted_whitespace — XFF "  1.2.3.4", peer in trusted_proxies
+    //     → returns 1.2.3.4 (trim)
+    #[test]
+    fn xff_trusted_whitespace() {
+        let headers = hdr_with_xff("  198.51.100.5");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("198.51.100.5")));
+    }
+
+    // 11. trusted_proxies_ipv6 — peer in IPv6 trusted list, IPv6 XFF
+    //     → returns XFF
+    #[test]
+    fn trusted_proxies_ipv6() {
+        let headers = hdr_with_xff("2001:db8::1");
+        let trusted = vec![net("::1/128"), net("2001:db8::/32")];
+        let result = resolve_client_ip(&headers, Some(ip("2001:db8::ffff")), &trusted);
+        assert_eq!(result, Some(ip("2001:db8::1")));
+    }
+
+    // 12. peer_ipv4_xff_ipv6_mismatch_trusted — peer in trusted list,
+    //     XFF is IPv6 → returns parsed IPv6 (mixed family is fine)
+    #[test]
+    fn peer_ipv4_xff_ipv6_mismatch_trusted() {
+        let headers = hdr_with_xff("2001:db8::dead");
+        let trusted = vec![net("10.0.0.0/8")];
+        let result = resolve_client_ip(&headers, Some(ip("10.0.0.5")), &trusted);
+        assert_eq!(result, Some(ip("2001:db8::dead")));
+    }
+}
+
+#[cfg(test)]
+mod middleware_tests {
+    //! End-to-end tests for the `require_auth` middleware IP-allowlist path.
+    //!
+    //! Uses a tiny in-process `axum::Router` with the middleware attached and
+    //! `tower::ServiceExt::oneshot` to send synthetic requests. No DB, no real
+    //! TCP listener.
+    //!
+    //! Mirrors the production wiring pattern in `pm-web/src/main.rs` (a
+    //! `from_fn` closure that captures the `AuthConfig` and forwards to
+    //! `require_auth`).
+    //!
+    //! For tests where the spec expects `200` (allowlist passed), we assert
+    //! `401` instead — the JWT will fail validation against the empty verify
+    //! key, which **proves the IP check did not short-circuit** (a 403 here
+    //! would mean the IP check rejected the request).
+    //!
+    //! Per `tasks/ip-allowlist-spec.md` §6.1 tests 13–20.
+
+    use super::*;
+    use axum::body::Body;
+    use axum::http::{Request, StatusCode};
+    use axum::middleware::from_fn;
+    use axum::routing::get;
+    use axum::Router;
+    use tower::ServiceExt;
+
+    /// Stub handler that returns 200 OK if the middleware let the request
+    /// through. JWT validation will fail in these tests, so the handler is
+    /// only reached in the "IP check passed but JWT failed" scenarios we
+    /// assert as `401`.
+    async fn ok_handler() -> &'static str {
+        "ok"
+    }
+
+    fn build_test_app(auth_config: Arc<AuthConfig>) -> Router {
+        Router::new()
+            .route("/test", get(ok_handler))
+            .layer(from_fn(move |req, next| {
+                let cfg = auth_config.clone();
+                async move { require_auth(cfg, req, next).await }
+            }))
+    }
+
+    /// Build a request with the given extensions, headers, and an
+    /// `Authorization: Bearer` token (which will fail JWT validation since
+    /// the test `AuthConfig` has an empty verify key). Tests assert on the
+    /// status code only — the body content is irrelevant.
+    fn build_request(peer: Option<SocketAddr>, xff: Option<&str>) -> Request<Body> {
+        let mut builder = Request::builder()
+            .uri("/test")
+            .header("authorization", "Bearer test-token-invalid");
+        if let Some(x) = xff {
+            builder = builder.header("x-forwarded-for", x);
+        }
+        let mut req = builder.body(Body::empty()).expect("build request");
+        if let Some(p) = peer {
+            req.extensions_mut().insert(ConnectInfo(p));
+        }
+        req
+    }
+
+    fn peer_v4(a: u8, b: u8, c: u8, d: u8) -> SocketAddr {
+        SocketAddr::from(([a, b, c, d], 1234))
+    }
+
+    // 13. middleware_allows_when_whitelist_empty — empty list + any IP
+    //     → IP check skipped, request continues to JWT (which fails → 401).
+    #[tokio::test]
+    async fn middleware_allows_when_whitelist_empty() {
+        let cfg = Arc::new(AuthConfig::new(String::new(), &[], &[]));
+        let app = build_test_app(cfg);
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), Some("10.0.0.5"));
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    // 14. middleware_denies_when_whitelist_non_empty_and_ip_not_in_list
+    //     — non-empty list + peer outside → 403 forbidden_ip.
+    #[tokio::test]
+    async fn middleware_denies_when_whitelist_non_empty_and_ip_not_in_list() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &[],
+        ));
+        let app = build_test_app(cfg);
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), None);
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    }
+
+    // 15. middleware_allows_when_ip_in_list — non-empty list + peer inside
+    //     → 401 (JWT fails, IP check passed).
+    #[tokio::test]
+    async fn middleware_allows_when_ip_in_list() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &[],
+        ));
+        let app = build_test_app(cfg);
+        let req = build_request(Some(peer_v4(10, 0, 0, 5)), None);
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    // 16. middleware_denies_when_no_peer_resolvable_and_whitelist_non_empty
+    //     — non-empty list + missing ConnectInfo → 403 forbidden_ip (fail-closed).
+    #[tokio::test]
+    async fn middleware_denies_when_no_peer_resolvable_and_whitelist_non_empty() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &[],
+        ));
+        let app = build_test_app(cfg);
+        let req = build_request(None, None); // no ConnectInfo
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    }
+
+    // 17. middleware_spoofed_xff_ignored_when_peer_untrusted
+    //     — non-empty list + peer outside + XFF inside list → 403 forbidden_ip.
+    #[tokio::test]
+    async fn middleware_spoofed_xff_ignored_when_peer_untrusted() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &[],
+        ));
+        let app = build_test_app(cfg);
+        // Peer is 203.0.113.10 (not in 10.0.0.0/8). XFF claims 10.0.0.5 but
+        // trusted_proxies is empty, so XFF is ignored and peer is checked → 403.
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), Some("10.0.0.5"));
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    }
+
+    // 18. middleware_trusted_proxy_honors_xff — peer in trusted_proxies +
+    //     XFF inside allowlist → 401 (IP check passed, JWT fails).
+    #[tokio::test]
+    async fn middleware_trusted_proxy_honors_xff() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &["203.0.113.0/24".to_string()],
+        ));
+        let app = build_test_app(cfg);
+        // Peer 203.0.113.10 is in trusted_proxies, so XFF "10.0.0.5" is used
+        // and that IP is in the allowlist → IP check passes → JWT fails → 401.
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), Some("10.0.0.5"));
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
+    }
+
+    // 19. middleware_trusted_proxy_falls_back_to_peer_on_bad_xff
+    //     — peer in trusted_proxies + unparseable XFF + peer outside list → 403.
+    #[tokio::test]
+    async fn middleware_trusted_proxy_falls_back_to_peer_on_bad_xff() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &["203.0.113.0/24".to_string()],
+        ));
+        let app = build_test_app(cfg);
+        // Peer 203.0.113.10 is in trusted_proxies. XFF is unparseable, so
+        // resolver falls back to peer (203.0.113.10) which is NOT in
+        // allowlist (10.0.0.0/8) → 403.
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), Some("not-an-ip"));
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    }
+
+    // 20. middleware_no_jwt_when_ip_blocked — blocked request never reaches
+    //     JWT validation. With an invalid token AND a denied IP, response is
+    //     403 (forbidden_ip) NOT 401 (which would indicate JWT was reached).
+    #[tokio::test]
+    async fn middleware_no_jwt_when_ip_blocked() {
+        let cfg = Arc::new(AuthConfig::new(
+            String::new(),
+            &["10.0.0.0/8".to_string()],
+            &[],
+        ));
+        let app = build_test_app(cfg);
+        // Peer 203.0.113.10 is outside allowlist, token is invalid.
+        // If the IP check ran first, response is 403. If JWT ran first, 401.
+        // We assert 403, proving the IP check short-circuited.
+        let req = build_request(Some(peer_v4(203, 0, 113, 10)), None);
+        let resp = app.oneshot(req).await.expect("oneshot");
+        assert_eq!(resp.status(), StatusCode::FORBIDDEN);
+    }
+}
--- a/crates/pm-core/src/config.rs
+++ b/crates/pm-core/src/config.rs
@ -119,6 +119,13 @@ pub struct LoggingConfig {
 pub struct SecurityConfig {
    /// IP whitelist (CIDR or individual IPs); empty = allow all (not recommended)
    pub ip_whitelist: Vec<String>,
+    /// IP addresses (CIDR or single IP) of trusted reverse proxies. When the
+    /// immediate TCP peer is in this list, `X-Forwarded-For` is honored;
+    /// otherwise the socket peer IP is used for allowlist enforcement.
+    /// Default: empty (do not trust `X-Forwarded-For`). See
+    /// `tasks/ip-allowlist-spec.md` §4.3 for the operational guidance.
+    #[serde(default)]
+    pub trusted_proxies: Vec<String>,
    /// JWT signing key path (Ed25519 PEM)
    pub jwt_signing_key_path: String,
    /// JWT verification key path (Ed25519 public PEM)
@ -280,6 +287,7 @@ impl Default for AppConfig {
            },
            security: SecurityConfig {
                ip_whitelist: vec![],
+                trusted_proxies: vec![],
                jwt_signing_key_path: "/etc/patch-manager/jwt/signing.pem".to_string(),
                jwt_verify_key_path: "/etc/patch-manager/jwt/verify.pem".to_string(),
                jwt_access_ttl_secs: 900,
--- a/crates/pm-web/src/main.rs
+++ b/crates/pm-web/src/main.rs
@ -83,6 +83,7 @@ async fn main() -> anyhow::Result<()> {
    let auth_config = Arc::new(AuthConfig::new(
        verify_key_pem,
        &config.security.ip_whitelist,
+        &config.security.trusted_proxies,
    ));

    let pool = db::init_pool(&config.database).await?;