Use trusted proxies to get the real client ip

[danxuliu]

Fixes #5

Now the remote address of requests is adjusted based on the original remote address, the X-Forwarded-For header and a configured list of trusted proxies.

Note that, unlike the signaling server, private networks are not trusted by default. Any trusted proxy must be explicitly configured in the recording server to prevent an existing but not properly configured proxy from passing rather than setting the X-Forwarded-For header.

Similarly, unlike the Nextcloud server the header to use can not be configured, it will always be X-Forwarded-For, as different headers may have a different syntax (for example, the standard but apparently not broadly used equivalent to X-Forwarded-For, the Forwarded header, uses a key=value syntax).

It is expected that the X-Forwarded-For header provided by trusted proxies includes only IP addresses; if a hostname or anything else that is not an IP address is included it will be treated as an invalid value and the preceding entry to the right (or the original remote address if there is none) will be used as the "real" IP address (which is another reason why the Forwarded header can not be used, as it may include obfuscated identifiers).

Nevertheless, it would have been possible to ignore invalid values until an address is found as long as the first invalid value comes from a trusted proxy, as even if all trusted proxies add the hostname of other trusted proxies the first IP address would not come from a trusted proxy and be the "real" client IP, but at least for now it was implemented in a strict way.

[szaimen]

Hi, would it be possible to create a new tag that contains these changes so that AIO gets this update? Also see https://github.com/nextcloud/nextcloud-talk-recording/issues/10

[nickvergessen]

Will be done once a new version is ready. There is still one thing in the pipeline iirc

[szaimen]

Will be done once a new version is ready. There is still one thing in the pipeline iirc

Okay, thanks!