TRUST_PROXY not working in open-balena-api

After upgrading to the latest version of open-balena, we’ve been stuck on a CORS issue - and finally found the culprit. This commit to open-balena-api moved the TRUST_PROXY parsing to the env-parsing library, but the config files which set the environment were never updated to grab the TRUST_PROXY from the environment and inject it in the env file - so it gets lost. And unfortunately that same change made the default “false” instead of “true” previously - so it breaks CORS for anyone using open-balena behind a proxy (which would apply to anyone using it in a k8s environment, possibly others).

Hi @drcnyc,

Thanks for reporting this. I’ve shared your report with our engineers but wanted to let you know that the lead engineer for openBalena is out on vacation until May 22 (lucky European holidays!), so it may be a bit before you see a response from us. We have seen your message though and will reply as soon as we can.

Hi @drcnyc, the issue appears to be that we switched the default to “false”, as it seems we never relied on the env var value (it wouldn’t be read even you set it because it doesn’t make it to the container’s env file — as you found out). If you could please make a PR that adds a TRUST_PROXY entry similar to API_HOST in open-balena-api/env.tmpl at master · balena-io/open-balena-api · GitHub that would fix it. (You can ignore the toml file, confd doesn’t really use it for env files).

This PR I’ve created ( Add TRUST_PROXY environment variable by bartversluijs · Pull Request #1328 · balena-io/open-balena-api ( is opened 3 weeks ago, all tests have passed and was also rebased once. I’ve also commented again to ping the Balena team if this PR can be approved. So this issue is already “resolved”, but still needs approval…

Just my 2 cents, but it appears that confd does actually set up the env file using the toml file, and when I add in a proper mapping there it works, and still allows the user to configure this option. So unless we think that nobody would ever want to set this to false (I can imagine a few cases where one might want it this way) it might be better to just map it in the toml like all the other variables, which is in fact used as the environment for node when node starts via the systemd service.

@bversluijs we’ve merged your PR, thank you so much for creating it. Would you and @drcnyc give this a try again and let us know if things are working now as expected?

1 Like

Thank you! Confirming it works for me.