adding logic to specifcy client-ip header from proxy

2025-07-20 10:04:08 +00:00 · 2025-01-05 20:29:08 +00:00 · 2025-01-05 20:29:08 +00:00 · 926967b6e7
commit 926967b6e7
parent 630f2957de
5 changed files with 65 additions and 224 deletions
--- a/server/config.go
+++ b/server/config.go
@ -144,6 +144,7 @@ type Config struct {
 	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
 	VisitorSubscriberRateLimiting        bool      // Enable subscriber-based rate limiting for UnifiedPush topics
 	BehindProxy                          bool
+	ProxyClientIPHeader                  string
 	StripeSecretKey                      string
 	StripeWebhookKey                     string
 	StripePriceCacheDuration             time.Duration
@ -233,6 +234,7 @@ func NewConfig() *Config {
 		VisitorStatsResetTime:                DefaultVisitorStatsResetTime,
 		VisitorSubscriberRateLimiting:        false,
 		BehindProxy:                          false,
+		ProxyClientIPHeader:                  "",
 		StripeSecretKey:                      "",
 		StripeWebhookKey:                     "",
 		StripePriceCacheDuration:             DefaultStripePriceCacheDuration,
--- a/server/server.go
+++ b/server/server.go
@ -1925,7 +1925,7 @@ func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc
 // that subsequent logging calls still have a visitor context.
 func (s *Server) maybeAuthenticate(r *http.Request) (*visitor, error) {
 	// Read "Authorization" header value, and exit out early if it's not set
-	ip := extractIPAddress(r, s.config.BehindProxy)
+	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyClientIPHeader)
 	vip := s.visitor(ip, nil)
 	if s.userManager == nil {
 		return vip, nil
@ -2000,7 +2000,7 @@ func (s *Server) authenticateBearerAuth(r *http.Request, token string) (*user.Us
 	if err != nil {
 		return nil, err
 	}
-	ip := extractIPAddress(r, s.config.BehindProxy)
+	ip := extractIPAddress(r, s.config.BehindProxy, s.config.ProxyClientIPHeader)
 	go s.userManager.EnqueueTokenUpdate(token, &user.TokenUpdate{
 		LastAccess: time.Now(),
 		LastOrigin: ip,
--- a/server/util.go
+++ b/server/util.go
@ -4,13 +4,14 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"heckel.io/ntfy/v2/util"
 	"io"
 	"mime"
 	"net/http"
 	"net/netip"
 	"regexp"
 	"strings"
+
+	"heckel.io/ntfy/v2/util"
 )

 var (
@ -73,33 +74,61 @@ func readQueryParam(r *http.Request, names ...string) string {
 	return ""
 }

-func extractIPAddress(r *http.Request, behindProxy bool) netip.Addr {
+func extractIPAddress(r *http.Request, behindProxy bool, proxyClientIPHeader string) netip.Addr {
+	logr(r).Debug("Starting IP extraction")
+
 	remoteAddr := r.RemoteAddr
+	logr(r).Debug("RemoteAddr: %s", remoteAddr)
+
 	addrPort, err := netip.ParseAddrPort(remoteAddr)
 	ip := addrPort.Addr()
 	if err != nil {
-		// This should not happen in real life; only in tests. So, using falling back to 0.0.0.0 if address unspecified
+		logr(r).Warn("Failed to parse RemoteAddr as AddrPort: %v", err)
 		ip, err = netip.ParseAddr(remoteAddr)
 		if err != nil {
 			ip = netip.IPv4Unspecified()
-			if remoteAddr != "@" || !behindProxy { // RemoteAddr is @ when unix socket is used
-				logr(r).Err(err).Warn("unable to parse IP (%s), new visitor with unspecified IP (0.0.0.0) created", remoteAddr)
+			logr(r).Error("Failed to parse RemoteAddr as IP: %v, defaulting to 0.0.0.0", err)
+		}
+	}
+
+	// Log initial IP before further processing
+	logr(r).Debug("Initial IP after RemoteAddr parsing: %s", ip)
+
+	if proxyClientIPHeader != "" {
+		logr(r).Debug("Using ProxyClientIPHeader: %s", proxyClientIPHeader)
+		if customHeaderIP := r.Header.Get(proxyClientIPHeader); customHeaderIP != "" {
+			logr(r).Debug("Custom header %s value: %s", proxyClientIPHeader, customHeaderIP)
+			realIP, err := netip.ParseAddr(customHeaderIP)
+			if err != nil {
+				logr(r).Error("Invalid IP in %s header: %s, error: %v", proxyClientIPHeader, customHeaderIP, err)
+			} else {
+				logr(r).Debug("Successfully parsed IP from custom header: %s", realIP)
+				ip = realIP
 			}
-		}
-	}
-	if behindProxy && strings.TrimSpace(r.Header.Get("X-Forwarded-For")) != "" {
-		// X-Forwarded-For can contain multiple addresses (see #328). If we are behind a proxy,
-		// only the right-most address can be trusted (as this is the one added by our proxy server).
-		// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For for details.
-		ips := util.SplitNoEmpty(r.Header.Get("X-Forwarded-For"), ",")
-		realIP, err := netip.ParseAddr(strings.TrimSpace(util.LastString(ips, remoteAddr)))
-		if err != nil {
-			logr(r).Err(err).Error("invalid IP address %s received in X-Forwarded-For header", ip)
-			// Fall back to regular remote address if X-Forwarded-For is damaged
 		} else {
-			ip = realIP
+			logr(r).Warn("Custom header %s is empty or missing", proxyClientIPHeader)
 		}
+	} else if behindProxy {
+		logr(r).Debug("No ProxyClientIPHeader set, checking X-Forwarded-For")
+		if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
+			logr(r).Debug("X-Forwarded-For value: %s", xff)
+			ips := util.SplitNoEmpty(xff, ",")
+			realIP, err := netip.ParseAddr(strings.TrimSpace(util.LastString(ips, remoteAddr)))
+			if err != nil {
+				logr(r).Error("Invalid IP in X-Forwarded-For header: %s, error: %v", xff, err)
+			} else {
+				logr(r).Debug("Successfully parsed IP from X-Forwarded-For: %s", realIP)
+				ip = realIP
+			}
+		} else {
+			logr(r).Debug("X-Forwarded-For header is empty or missing")
+		}
+	} else {
+		logr(r).Debug("Behind proxy is false, skipping proxy headers")
 	}
+
+	// Final resolved IP
+	logr(r).Debug("Final resolved IP: %s", ip)
 	return ip
 }