fix: check X-Real-IP and X-Forwarded-For

service/default/http.go

@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/url"
 	"nhooyr.io/websocket"
+	"strings"
 )
 
 var _ service.Service = (*HTTPServiceDefault)(nil)
@@ -86,24 +87,42 @@ func (h *HTTPServiceDefault) p2pHandler(ctx jape.Context) {
 
 	ip := peer.GetIP()
 
-	switch v := ip.(type) {
+	// Check for reverse proxy headers
-	case *net.IPNet:
+	realIP := ctx.Request.Header.Get("X-Real-IP")
-		if v.IP.IsLoopback() {
+	forwardedFor := ctx.Request.Header.Get("X-Forwarded-For")
-			err := peer.End()
-			if err != nil {
-				h.Logger().Error("error ending peer", zap.Error(err))
-			}
-			return
-		}
 
-	case *net.TCPAddr:
+	var clientIP net.IP
-		if v.IP.IsLoopback() {
+	if realIP != "" {
-			err := peer.End()
+		clientIP = net.ParseIP(realIP)
-			if err != nil {
+	} else if forwardedFor != "" {
-				h.Logger().Error("error ending peer", zap.Error(err))
+		// X-Forwarded-For can contain multiple IP addresses separated by commas
-			}
+		// We take the first IP in the list as the client's IP
-			return
+		parts := strings.Split(forwardedFor, ",")
+		clientIP = net.ParseIP(parts[0])
+	}
+
+	blockConnection := func(ip net.Addr) bool {
+		// If we have a valid client IP from headers, use that for the loopback check
+		if clientIP != nil {
+			return clientIP.IsLoopback()
 		}
+		// Otherwise, fall back to the peer's IP
+		switch v := ip.(type) {
+		case *net.IPNet:
+			return v.IP.IsLoopback()
+		case *net.TCPAddr:
+			return v.IP.IsLoopback()
+		default:
+			return false
+		}
+	}
+
+	if blockConnection(ip) {
+		err := peer.End()
+		if err != nil {
+			h.Logger().Error("error ending peer", zap.Error(err))
+		}
+		return
 	}
 
 	h.Services().P2P().ConnectionTracker().Add(1)