From fa415e6decce0a48f452dfaae0e8a7c5b5ae8c4f Mon Sep 17 00:00:00 2001
From: proffapt <proffapt@pm.me>
Date: Fri, 5 Jul 2024 00:42:49 +0530
Subject: [PATCH] fix: X-Forwarded-For spoofing attack; use X-Real-IP

---
 main.go                         | 4 ++--
 metaploy/heimdall.metaploy.conf | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/main.go b/main.go
index 1231f70..70f8c21 100644
--- a/main.go
+++ b/main.go
@@ -63,7 +63,7 @@ func LoggerMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		recorder := &responseRecorder{w, http.StatusOK, 0}
 		next.ServeHTTP(recorder, r)
-		log.Printf("INFO:\t%s - %q %s %d %s\n", r.Header.Get("X-Forwarded-For"), r.Method, r.RequestURI, recorder.status, http.StatusText(recorder.status))
+		log.Printf("INFO:\t%s - %q %s %d %s\n", r.Header.Get("X-Real-IP"), r.Method, r.RequestURI, recorder.status, http.StatusText(recorder.status))
 	})
 }
 
@@ -124,7 +124,7 @@ func generateOtp(user User) (bool, error) {
 }
 
 func handleCampusCheck(res http.ResponseWriter, req *http.Request) {
-	clientIP := req.Header.Get("X-Forwarded-For")
+	clientIP := req.Header.Get("X-Real-IP")
 	if strings.Contains(clientIP, ",") {
 		ips := strings.Split(clientIP, ",")
 		clientIP = strings.TrimSpace(ips[0])
diff --git a/metaploy/heimdall.metaploy.conf b/metaploy/heimdall.metaploy.conf
index f757e8d..f6432f6 100644
--- a/metaploy/heimdall.metaploy.conf
+++ b/metaploy/heimdall.metaploy.conf
@@ -7,5 +7,6 @@ server {
 
     location / {
         proxy_pass http://heimdall_server;
+        proxy_set_header X-Real-IP $remote_addr;
     }
 }
\ No newline at end of file