From 3e68297016f49fb98ccc7c505e55d6182944ca21 Mon Sep 17 00:00:00 2001
From: vniehues <vniehues@noreply.dev.sp-tarkov.com>
Date: Sun, 12 May 2024 13:56:03 +0000
Subject: [PATCH] [ADD] functionality to read "x-forwarded-for" and "x-real-ip"
 headers when handling a request (!329)

I'm currently hosting the Project Fika Docker on a dedicated Server to have the Server up 24/7 without the need to let my PC run.
When hosting this as a docker container behind traefik (reverse proxy), the logger currently logs the internal IP of the traefik container.
This change makes it so that the headers that traefik/nginx can set are actually read and used. If these headers are not present, we fall back to the original method of using the `socket.remoteAdress`.
Since this is for logging only, the security implications are minimal.

Co-authored-by: Vincent Niehues <vincent.niehues@zeitag.ch>
Reviewed-on: https://dev.sp-tarkov.com/SPT-AKI/Server/pulls/329
Co-authored-by: vniehues <vniehues@noreply.dev.sp-tarkov.com>
Co-committed-by: vniehues <vniehues@noreply.dev.sp-tarkov.com>
---
 project/src/servers/HttpServer.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/project/src/servers/HttpServer.ts b/project/src/servers/HttpServer.ts
index d03443b6..ac274715 100644
--- a/project/src/servers/HttpServer.ts
+++ b/project/src/servers/HttpServer.ts
@@ -79,9 +79,14 @@ export class HttpServer
         const sessionId = this.getCookies(req).PHPSESSID;
         this.applicationContext.addValue(ContextVariableType.SESSION_ID, sessionId);
 
+        // Extract headers for original IP detection
+        const realIp = req.headers["x-real-ip"] as string;
+        const forwardedFor = req.headers["x-forwarded-for"] as string;
+        const clientIp = realIp || (forwardedFor ? forwardedFor.split(",")[0].trim() : req.socket.remoteAddress);
+
         if (this.httpConfig.logRequests)
         {
-            const isLocalRequest = this.isLocalRequest(req.socket.remoteAddress);
+            const isLocalRequest = this.isLocalRequest(clientIp);
             if (typeof isLocalRequest !== "undefined")
             {
                 if (isLocalRequest)
@@ -91,7 +96,7 @@ export class HttpServer
                 else
                 {
                     this.logger.info(this.localisationService.getText("client_request_ip", {
-                        ip: req.socket.remoteAddress,
+                        ip: clientIp,
                         url: req.url.replaceAll("/", "\\"), // Localisation service escapes `/` into hex code `&#x2f;`
                     }));
                 }