From dac83ba437987b1063210c255cf05b2d01ab4ba3 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Sat, 23 Jan 2021 08:37:58 +0100
Subject: [PATCH] Check for upstream proxy

---
 config.yaml                      |  5 ++---
 src/data/http_request_handler.rs | 23 ++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/config.yaml b/config.yaml
index 0710775..0efe32a 100644
--- a/config.yaml
+++ b/config.yaml
@@ -10,9 +10,8 @@ server-address: 0.0.0.0
 server-port: 3001
 
 # Server proxy (none = no proxy)
-# This value is used to trust upstream
-# IP addresses
-proxy: none
+# This value is used to trust upstream proxy
+proxy: "127.0.0.1"
 
 # If set to true Access-Control-Allow-Origin will be set for https
 force-https: false
diff --git a/src/data/http_request_handler.rs b/src/data/http_request_handler.rs
index 00bef3b..8dd120d 100644
--- a/src/data/http_request_handler.rs
+++ b/src/data/http_request_handler.rs
@@ -194,7 +194,28 @@ impl HttpRequestHandler {
 
     /// Get the remote IP address
     pub fn remote_ip(&self) -> String {
-        self.request.peer_addr().unwrap().ip().to_string()
+        let mut ip = self.request.peer_addr().unwrap().ip().to_string();
+
+        // We check if the request comes from a trusted reverse proxy
+        if let Some(proxy) = conf().proxy.as_ref() {
+            if ip.eq(proxy) {
+                if let Some(header) = self.request.headers().get("X-Forwarded-For") {
+                    let header: Vec<String> = header
+                        .to_str()
+                        .unwrap()
+                        .to_string()
+                        .split(",")
+                        .map(|f| f.to_string())
+                        .collect();
+
+                    if header.len() > 0 {
+                        ip = header[0].to_string();
+                    }
+                }
+            }
+        }
+
+        ip
     }
 
     /// Check if a POST parameter was present in the request or not