cmd/anubis: set X-Real-Ip based on X-Forwarded-For (#63)v1.14.1

This triggers a SHAME release[0].

[0]: https://pridever.org/

6 files changed, 27 insertions, 1 deletions

diff --git a/VERSION b/VERSION
index cd99d38..30f101c 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.14.0
\ No newline at end of file
+1.14.1
\ No newline at end of file
diff --git a/cmd/anubis/main.go b/cmd/anubis/main.go
index 75d3038..e27e02f 100644
--- a/cmd/anubis/main.go
+++ b/cmd/anubis/main.go
@@ -214,6 +214,7 @@ func main() {
 	var h http.Handler
 	h = mux
 	h = internal.DefaultXRealIP(*debugXRealIPDefault, h)
+	h = internal.XForwardedForToXRealIP(h)
 
 	srv := http.Server{Handler: h}
 	listener, url := setupListener(*bindNetwork, *bind)
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index 1c42808..ef94d1b 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -11,6 +11,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## v1.14.1
+
+Livia sas Junius: Echo 1
+
+- Set the `X-Real-Ip` header based on the contents of `X-Forwarded-For`
+  [#62](https://github.com/TecharoHQ/anubis/issues/62)
+
 ## v1.14.0
 
 Livia sas Junius
diff --git a/go.mod b/go.mod
index 8caa7fa..f4f54bc 100644
--- a/go.mod
+++ b/go.mod
@@ -34,6 +34,7 @@ require (
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a // indirect
 	golang.org/x/mod v0.24.0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
diff --git a/go.sum b/go.sum
index 839037b..a3dea0d 100644
--- a/go.sum
+++ b/go.sum
@@ -59,6 +59,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a h1:iLcLb5Fwwz7g/DLK89F+uQBDeAhHhwdzB5fSlVdhGcM=
+github.com/sebest/xff v0.0.0-20210106013422-671bd2870b3a/go.mod h1:wozgYq9WEBQBaIJe4YZ0qTSFAMxmcwBhQH0fO0R34Z0=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
diff --git a/internal/headers.go b/internal/headers.go
index 1de845d..681d076 100644
--- a/internal/headers.go
+++ b/internal/headers.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 
 	"github.com/TecharoHQ/anubis"
+	"github.com/sebest/xff"
 )
 
 // UnchangingCache sets the Cache-Control header to cache a response for 1 year if
@@ -33,3 +34,17 @@ func DefaultXRealIP(defaultIP string, next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// XForwardedForToXRealIP sets the X-Real-Ip header based on the contents
+// of the X-Forwarded-For header.
+func XForwardedForToXRealIP(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if xffHeader := r.Header.Get("X-Forwarded-For"); r.Header.Get("X-Real-Ip") == "" && xffHeader != "" {
+			ip := xff.Parse(xffHeader)
+			slog.Debug("setting x-real-ip", "val", ip)
+			r.Header.Set("X-Real-Ip", ip)
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}