Sockopt config: Add trustedXForwardedFor (for XHTTP, WS, HU inbounds) (#5331)

Fixes #5101 (comment)

Author: RPRX

app/dns/config.pb.go

@@ -810,6 +810,7 @@ type SocketConfig struct {
 	CustomSockopt         []*CustomSockoptConfig `json:"customSockopt"`
 	AddressPortStrategy   string                 `json:"addressPortStrategy"`
 	HappyEyeballsSettings *HappyEyeballsConfig   `json:"happyEyeballs"`
+	TrustedXForwardedFor  []string               `json:"trustedXForwardedFor"`
 }
 
 // Build implements Buildable.
@@ -929,6 +930,7 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		CustomSockopt:        customSockopts,
 		AddressPortStrategy:  addressPortStrategy,
 		HappyEyeballs:        happyEyeballs,
+		TrustedXForwardedFor: c.TrustedXForwardedFor,
 	}, nil
 }
 

app/router/config.pb.go

@@ -132,6 +132,8 @@ message SocketConfig {
   AddressPortStrategy address_port_strategy = 21;
 
   HappyEyeballsConfig happy_eyeballs = 22;
+
+  repeated string trusted_x_forwarded_for = 23;
 }
 
 message HappyEyeballsConfig {

infra/conf/transport_internet.go

@@ -20,6 +20,7 @@ type server struct {
 	config         *Config
 	addConn        internet.ConnHandler
 	innnerListener net.Listener
+	socketSettings *internet.SocketConfig
 }
 
 func (s *server) Close() error {
@@ -70,7 +71,17 @@ func (s *server) Handle(conn net.Conn) (stat.Connection, error) {
 		return nil, err
 	}
 
-	forwardedAddrs := http_proto.ParseXForwardedFor(req.Header)
+	var forwardedAddrs []net.Address
+	if s.socketSettings != nil && len(s.socketSettings.TrustedXForwardedFor) > 0 {
+		for _, key := range s.socketSettings.TrustedXForwardedFor {
+			if len(req.Header.Values(key)) > 0 {
+				forwardedAddrs = http_proto.ParseXForwardedFor(req.Header)
+				break
+			}
+		}
+	} else {
+		forwardedAddrs = http_proto.ParseXForwardedFor(req.Header)
+	}
 	remoteAddr := conn.RemoteAddr()
 	if len(forwardedAddrs) > 0 && forwardedAddrs[0].Family().IsIP() {
 		remoteAddr = &net.TCPAddr{
@@ -141,6 +152,7 @@ func ListenHTTPUpgrade(ctx context.Context, address net.Address, port net.Port,
 		config:         transportConfiguration,
 		addConn:        addConn,
 		innnerListener: listener,
+		socketSettings: streamSettings.SocketSettings,
 	}
 	go serverInstance.keepAccepting()
 	return serverInstance, nil

transport/internet/config.pb.go

@@ -27,13 +27,14 @@ import (
 )
 
 type requestHandler struct {
-	config    *Config
-	host      string
-	path      string
-	ln        *Listener
-	sessionMu *sync.Mutex
-	sessions  sync.Map
-	localAddr net.Addr
+	config         *Config
+	host           string
+	path           string
+	ln             *Listener
+	sessionMu      *sync.Mutex
+	sessions       sync.Map
+	localAddr      net.Addr
+	socketSettings *internet.SocketConfig
 }
 
 type httpSession struct {
@@ -139,7 +140,17 @@ func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Req
 		return
 	}
 
-	forwardedAddrs := http_proto.ParseXForwardedFor(request.Header)
+	var forwardedAddrs []net.Address
+	if h.socketSettings != nil && len(h.socketSettings.TrustedXForwardedFor) > 0 {
+		for _, key := range h.socketSettings.TrustedXForwardedFor {
+			if len(request.Header.Values(key)) > 0 {
+				forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+				break
+			}
+		}
+	} else {
+		forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+	}
 	var remoteAddr net.Addr
 	var err error
 	remoteAddr, err = net.ResolveTCPAddr("tcp", request.RemoteAddr)
@@ -356,12 +367,13 @@ func ListenXH(ctx context.Context, address net.Address, port net.Port, streamSet
 		}
 	}
 	handler := &requestHandler{
-		config:    l.config,
-		host:      l.config.Host,
-		path:      l.config.GetNormalizedPath(),
-		ln:        l,
-		sessionMu: &sync.Mutex{},
-		sessions:  sync.Map{},
+		config:         l.config,
+		host:           l.config.Host,
+		path:           l.config.GetNormalizedPath(),
+		ln:             l,
+		sessionMu:      &sync.Mutex{},
+		sessions:       sync.Map{},
+		socketSettings: streamSettings.SocketSettings,
 	}
 	tlsConfig := getTLSConfig(streamSettings)
 	l.isH3 = len(tlsConfig.NextProtos) == 1 && tlsConfig.NextProtos[0] == "h3"

transport/internet/config.proto

@@ -21,9 +21,10 @@ import (
 )
 
 type requestHandler struct {
-	host string
-	path string
-	ln   *Listener
+	host           string
+	path           string
+	ln             *Listener
+	socketSettings *internet.SocketConfig
 }
 
 var replacer = strings.NewReplacer("+", "-", "/", "_", "=", "")
@@ -64,7 +65,17 @@ func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Req
 		return
 	}
 
-	forwardedAddrs := http_proto.ParseXForwardedFor(request.Header)
+	var forwardedAddrs []net.Address
+	if h.socketSettings != nil && len(h.socketSettings.TrustedXForwardedFor) > 0 {
+		for _, key := range h.socketSettings.TrustedXForwardedFor {
+			if len(request.Header.Values(key)) > 0 {
+				forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+				break
+			}
+		}
+	} else {
+		forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+	}
 	remoteAddr := conn.RemoteAddr()
 	if len(forwardedAddrs) > 0 && forwardedAddrs[0].Family().IsIP() {
 		remoteAddr = &net.TCPAddr{
@@ -132,9 +143,10 @@ func ListenWS(ctx context.Context, address net.Address, port net.Port, streamSet
 
 	l.server = http.Server{
 		Handler: &requestHandler{
-			host: wsSettings.Host,
-			path: wsSettings.GetNormalizedPath(),
-			ln:   l,
+			host:           wsSettings.Host,
+			path:           wsSettings.GetNormalizedPath(),
+			ln:             l,
+			socketSettings: streamSettings.SocketSettings,
 		},
 		ReadHeaderTimeout: time.Second * 4,
 		MaxHeaderBytes:    8192,