Log the remote address, and only trust localhost proxies

I need the actual remote address to add fail2ban rules for it, but i also to not want everyone to be able to fake X-Forward-For HTTP headers. Which can contain multiple ip addresses, by the way, so i have to get only the first one, as the others will be the proxies that the request has been (re)forwarded to.
2023-06-13 14:21:54 +02:00 · 2023-06-13 14:21:54 +02:00 · d79ddc6731
parent ac28393398
commit d79ddc6731
2 changed files with 15 additions and 5 deletions
--- a/pkg/logger.go
+++ b/pkg/logger.go
@ -44,7 +44,7 @@ func Logger(handler http.Handler) http.Handler {
 			referer = "-"
 		}
 		log.Printf("HTTP - %s - - [%s] \"%s %s %s\" %d %d \"%s\" \"%s\" %s\n",
-			r.RemoteAddr,
+			remoteAddr(r),
 			t.Format("02/Jan/2006:15:04:05 -0700"),
 			r.Method,
 			r.URL.Path,
--- a/pkg/login.go
+++ b/pkg/login.go
@ -7,6 +7,7 @@ import (
 	"html/template"
 	"net"
 	"net/http"
+	"strings"
 	"time"

 	"golang.org/x/text/language"
@ -129,11 +130,20 @@ func HandleLogout(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 }

 func remoteAddr(r *http.Request) string {
-	address := r.Header.Get("X-Forwarded-For")
-	if address == "" {
-		address, _, _ = net.SplitHostPort(r.RemoteAddr)
-	}
+	address, _, _ := net.SplitHostPort(r.RemoteAddr)
+	if address != "localhost" && address != "127.0.0.1" && address != "::1" {
 		return address
+	}
+	forwarded := r.Header.Get("X-Forwarded-For")
+	if forwarded == "" {
+		return address
+	}
+	ips := strings.Split(forwarded, ", ")
+	forwarded = ips[0]
+	if forwarded == "" {
+		return address
+	}
+	return forwarded
 }

 func setSessionCookie(w http.ResponseWriter, cookie string) {