Server: Add "proxy-ip-header" config option

Signed-off-by: Michael Mayer <michael@photoprism.app>

internal/config/config_server.go

@@ -33,6 +33,11 @@ func (c *Config) TrustedProxies() []string {
 	return c.options.TrustedProxies
 }
 
+// ProxyIPHeaders returns the trusted forwarded IP address header names, if any.
+func (c *Config) ProxyIPHeaders() []string {
+	return c.options.ProxyIPHeaders
+}
+
 // ProxyProtoHeader returns the proxy protocol header names.
 func (c *Config) ProxyProtoHeader() []string {
 	return c.options.ProxyProtoHeaders

internal/config/flags.go

@@ -661,6 +661,12 @@ var Flags = CliFlags{
 			Value:   cli.NewStringSlice(header.CidrPodInternal, header.CidrDockerInternal, header.CidrCalicoInternal),
 			EnvVars: EnvVars("TRUSTED_PROXY"),
 		}}, {
+		Flag: &cli.StringSliceFlag{
+			Name:    "proxy-ip-header",
+			Usage:   "proxy client IP header `NAME`",
+			Value:   cli.NewStringSlice(header.ForwardedFor),
+			EnvVars: EnvVars("PROXY_IP_HEADER"),
+		}}, {
 		Flag: &cli.StringSliceFlag{
 			Name:    "proxy-proto-header",
 			Usage:   "proxy protocol header `NAME`",

internal/config/options.go

@@ -142,6 +142,7 @@ type Options struct {
 	HttpsProxy             string        `yaml:"HttpsProxy" json:"HttpsProxy" flag:"https-proxy"`
 	HttpsProxyInsecure     bool          `yaml:"HttpsProxyInsecure" json:"HttpsProxyInsecure" flag:"https-proxy-insecure"`
 	TrustedProxies         []string      `yaml:"TrustedProxies" json:"-" flag:"trusted-proxy"`
+	ProxyIPHeaders         []string      `yaml:"ProxyIPHeaders" json:"-" flag:"proxy-ip-header"`
 	ProxyProtoHeaders      []string      `yaml:"ProxyProtoHeaders" json:"-" flag:"proxy-proto-header"`
 	ProxyProtoHttps        []string      `yaml:"ProxyProtoHttps" json:"-" flag:"proxy-proto-https"`
 	DisableTLS             bool          `yaml:"DisableTLS" json:"DisableTLS" flag:"disable-tls"`

internal/config/report.go

@@ -178,6 +178,7 @@ func (c *Config) Report() (rows [][]string, cols []string) {
 		{"https-proxy", c.HttpsProxy()},
 		{"https-proxy-insecure", fmt.Sprintf("%t", c.HttpsProxyInsecure())},
 		{"trusted-proxy", c.TrustedProxy()},
+		{"proxy-ip-header", strings.Join(c.ProxyIPHeaders(), ", ")},
 		{"proxy-proto-header", strings.Join(c.ProxyProtoHeader(), ", ")},
 		{"proxy-proto-https", strings.Join(c.ProxyProtoHttps(), ", ")},
 

internal/server/start.go

@@ -47,11 +47,14 @@ func Start(ctx context.Context, conf *config.Config) {
 	// Create new router engine without standard middleware.
 	router := gin.New()
 
-	// Set proxy addresses from which headers related to the client and protocol can be trusted
+	// Set proxy addresses from which headers related to the client and protocol can be trusted.
 	if err := router.SetTrustedProxies(conf.TrustedProxies()); err != nil {
 		log.Warnf("server: %s", err)
 	}
 
+	// Set proxy addresses from which headers related to the client and protocol can be trusted.
+	router.RemoteIPHeaders = conf.ProxyIPHeaders()
+
 	// Register panic recovery middleware.
 	router.Use(Recovery())
 

pkg/media/http/header/security.go

@@ -9,6 +9,7 @@ const (
 	ContentTypeOptions      = "X-Content-Type-Options"     // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 	XSSProtection           = "X-XSS-Protection"           // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 	FrameOptions            = "X-Frame-Options"            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+	ForwardedFor            = "X-Forwarded-For"            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
 	ForwardedProto          = "X-Forwarded-Proto"          // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
 )