Add reverse proxy IP header support for web server logging

MorquinDevlar · MorquinDevlar · commit 8d48b19ee166 · 2025-08-11T21:54:53.000+02:00
Added:
  - getClientIP helper function to extract real client IPs from proxy
headers
  - X-Real-IP header parsing (higher priority)
  - X-Forwarded-For header parsing with comma-separated IP support
  - Security check to only trust headers from localhost connections

Changed:
  - Web request logging to use getClientIP instead of r.RemoteAddr
  - Log output now shows real client IPs when behind trusted reverse
proxy
diff --git a/internal/web/web.go b/internal/web/web.go
@@ -42,6 +42,47 @@ type WebNav struct {
 	Target string
 }
 
+// getClientIP extracts the real client IP address from the request.
+// It checks for X-Real-IP and X-Forwarded-For headers when the direct
+// connection is from localhost (trusted proxy), otherwise returns the
+// direct connection IP.
+func getClientIP(r *http.Request) string {
+	// Get the direct connection IP
+	remoteAddr := r.RemoteAddr
+
+	// Extract just the IP part (remove port)
+	host, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		// If splitting fails, use the whole remoteAddr
+		host = remoteAddr
+	}
+
+	// Only trust proxy headers if the connection is from localhost
+	if host == "127.0.0.1" || host == "::1" || host == "localhost" {
+		// Check X-Real-IP first (higher priority)
+		if realIP := r.Header.Get("X-Real-IP"); realIP != "" {
+			return realIP
+		}
+
+		// Check X-Forwarded-For (may contain multiple IPs)
+		if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
+			// X-Forwarded-For can contain comma-separated IPs
+			// The first one is the original client
+			ips := strings.Split(forwardedFor, ",")
+			if len(ips) > 0 {
+				// Trim any whitespace from the IP
+				clientIP := strings.TrimSpace(ips[0])
+				if clientIP != "" {
+					return clientIP
+				}
+			}
+		}
+	}
+
+	// Return the direct connection IP if no proxy headers or not from localhost
+	return host
+}
+
 type WebPlugin interface {
 	NavLinks() map[string]string                                                    // Name=>Path pairs
 	WebRequest(r *http.Request) (html string, templateData map[string]any, ok bool) // Get the first handler of a given request
@@ -106,7 +147,7 @@ func serveTemplate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if !pageFound || len(fileBase) > 0 && fileBase[0] == '_' {
-		mudlog.Info("Web", "ip", r.RemoteAddr, "ref", r.Header.Get("Referer"), "file path", fullPath, "file extension", fileExt, "error", "Not found")
+		mudlog.Info("Web", "ip", getClientIP(r), "ref", r.Header.Get("Referer"), "file path", fullPath, "file extension", fileExt, "error", "Not found")
 
 		fullPath = filepath.Join(httpRoot, `404.html`)
 		fInfo, err = os.Stat(fullPath)
@@ -122,7 +163,7 @@ func serveTemplate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Log the request
-	mudlog.Info("Web", "ip", r.RemoteAddr, "ref", r.Header.Get("Referer"), "file path", fullPath, "file extension", fileExt, "file source", source, "size", fmt.Sprintf(`%.2fk`, float64(fSize)/1024))
+	mudlog.Info("Web", "ip", getClientIP(r), "ref", r.Header.Get("Referer"), "file path", fullPath, "file extension", fileExt, "file source", source, "size", fmt.Sprintf(`%.2fk`, float64(fSize)/1024))
 
 	// For non-HTML files, serve them statically.
 	if fileExt != ".html" {
