Sockopt config: Add discardXForwardedFor (for XHTTP, WS, HU) (#5325)

Fixes #5101 (comment)

Author: RPRX

app/dns/config.pb.go

@@ -810,6 +810,7 @@ type SocketConfig struct {
 	CustomSockopt         []*CustomSockoptConfig `json:"customSockopt"`
 	AddressPortStrategy   string                 `json:"addressPortStrategy"`
 	HappyEyeballsSettings *HappyEyeballsConfig   `json:"happyEyeballs"`
+	DiscardXForwardedFor  bool                   `json:"discardXForwardedFor"`
 }
 
 // Build implements Buildable.
@@ -929,6 +930,7 @@ func (c *SocketConfig) Build() (*internet.SocketConfig, error) {
 		CustomSockopt:        customSockopts,
 		AddressPortStrategy:  addressPortStrategy,
 		HappyEyeballs:        happyEyeballs,
+		DiscardXForwardedFor: c.DiscardXForwardedFor,
 	}, nil
 }
 

app/router/config.pb.go

@@ -132,6 +132,8 @@ message SocketConfig {
   AddressPortStrategy address_port_strategy = 21;
 
   HappyEyeballsConfig happy_eyeballs = 22;
+
+  bool discard_x_forwarded_for = 23;
 }
 
 message HappyEyeballsConfig {

infra/conf/transport_internet.go

@@ -20,6 +20,7 @@ type server struct {
 	config         *Config
 	addConn        internet.ConnHandler
 	innnerListener net.Listener
+	socketSettings *internet.SocketConfig
 }
 
 func (s *server) Close() error {
@@ -72,6 +73,9 @@ func (s *server) Handle(conn net.Conn) (stat.Connection, error) {
 
 	forwardedAddrs := http_proto.ParseXForwardedFor(req.Header)
 	remoteAddr := conn.RemoteAddr()
+	if s.socketSettings != nil && s.socketSettings.DiscardXForwardedFor {
+		forwardedAddrs = nil
+	}
 	if len(forwardedAddrs) > 0 && forwardedAddrs[0].Family().IsIP() {
 		remoteAddr = &net.TCPAddr{
 			IP:   forwardedAddrs[0].IP(),
@@ -141,6 +145,7 @@ func ListenHTTPUpgrade(ctx context.Context, address net.Address, port net.Port,
 		config:         transportConfiguration,
 		addConn:        addConn,
 		innnerListener: listener,
+		socketSettings: streamSettings.SocketSettings,
 	}
 	go serverInstance.keepAccepting()
 	return serverInstance, nil

transport/internet/config.pb.go

@@ -27,13 +27,14 @@ import (
 )
 
 type requestHandler struct {
-	config    *Config
-	host      string
-	path      string
-	ln        *Listener
-	sessionMu *sync.Mutex
-	sessions  sync.Map
-	localAddr net.Addr
+	config         *Config
+	host           string
+	path           string
+	ln             *Listener
+	sessionMu      *sync.Mutex
+	sessions       sync.Map
+	localAddr      net.Addr
+	socketSettings *internet.SocketConfig
 }
 
 type httpSession struct {
@@ -155,6 +156,9 @@ func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Req
 			Port: remoteAddr.(*net.TCPAddr).Port,
 		}
 	}
+	if h.socketSettings != nil && h.socketSettings.DiscardXForwardedFor {
+		forwardedAddrs = nil
+	}
 	if len(forwardedAddrs) > 0 && forwardedAddrs[0].Family().IsIP() {
 		remoteAddr = &net.TCPAddr{
 			IP:   forwardedAddrs[0].IP(),
@@ -356,12 +360,13 @@ func ListenXH(ctx context.Context, address net.Address, port net.Port, streamSet
 		}
 	}
 	handler := &requestHandler{
-		config:    l.config,
-		host:      l.config.Host,
-		path:      l.config.GetNormalizedPath(),
-		ln:        l,
-		sessionMu: &sync.Mutex{},
-		sessions:  sync.Map{},
+		config:         l.config,
+		host:           l.config.Host,
+		path:           l.config.GetNormalizedPath(),
+		ln:             l,
+		sessionMu:      &sync.Mutex{},
+		sessions:       sync.Map{},
+		socketSettings: streamSettings.SocketSettings,
 	}
 	tlsConfig := getTLSConfig(streamSettings)
 	l.isH3 = len(tlsConfig.NextProtos) == 1 && tlsConfig.NextProtos[0] == "h3"

transport/internet/config.proto

@@ -21,9 +21,10 @@ import (
 )
 
 type requestHandler struct {
-	host string
-	path string
-	ln   *Listener
+	host           string
+	path           string
+	ln             *Listener
+	socketSettings *internet.SocketConfig
 }
 
 var replacer = strings.NewReplacer("+", "-", "/", "_", "=", "")
@@ -66,6 +67,9 @@ func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Req
 
 	forwardedAddrs := http_proto.ParseXForwardedFor(request.Header)
 	remoteAddr := conn.RemoteAddr()
+	if h.socketSettings != nil && h.socketSettings.DiscardXForwardedFor {
+		forwardedAddrs = nil
+	}
 	if len(forwardedAddrs) > 0 && forwardedAddrs[0].Family().IsIP() {
 		remoteAddr = &net.TCPAddr{
 			IP:   forwardedAddrs[0].IP(),
@@ -132,9 +136,10 @@ func ListenWS(ctx context.Context, address net.Address, port net.Port, streamSet
 
 	l.server = http.Server{
 		Handler: &requestHandler{
-			host: wsSettings.Host,
-			path: wsSettings.GetNormalizedPath(),
-			ln:   l,
+			host:           wsSettings.Host,
+			path:           wsSettings.GetNormalizedPath(),
+			ln:             l,
+			socketSettings: streamSettings.SocketSettings,
 		},
 		ReadHeaderTimeout: time.Second * 4,
 		MaxHeaderBytes:    8192,