better ip detection

cmd/webserver/ipranges.go

@@ -0,0 +1,20 @@
+package main
+
+var IpRanges = []string{
+	// Cloudflare:
+	"173.245.48.0/20",
+	"103.21.244.0/22",
+	"103.22.200.0/22",
+	"103.31.4.0/22",
+	"141.101.64.0/18",
+	"108.162.192.0/18",
+	"190.93.240.0/20",
+	"188.114.96.0/20",
+	"197.234.240.0/22",
+	"198.41.128.0/17",
+	"162.158.0.0/15",
+	"104.16.0.0/13",
+	"104.24.0.0/14",
+	"172.64.0.0/13",
+	"131.0.72.0/22",
+}

cmd/webserver/webserver.go

@@ -11,9 +11,11 @@ import (
 	"github.com/labstack/gommon/log"
 	"github.com/nats-io/nats.go"
 	"golang.org/x/time/rate"
+	"net"
 	"net/http"
 	"os"
 	"os/signal"
+	"slices"
 	"time"
 )
 
@@ -50,6 +52,16 @@ func main() {
 	e.Use(middleware.Logger())
 	e.Use(middleware.Recover())
 
+	var trustOptions []echo.TrustOption
+	for _, ipRange := range slices.Concat(IpRanges, cfg.TrustedIpRanges) {
+		_, network, err := net.ParseCIDR(ipRange)
+		if err != nil {
+			log.Panicf("Invalid ip range: %s", ipRange)
+		}
+		trustOptions = append(trustOptions, echo.TrustIPRange(network))
+	}
+	e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOptions...)
+
 	e.StaticFS("/", echo.MustSubFS(wizard_vue.EmbedFS, wizard_vue.FSPrefix))
 
 	apiHandler := httpApi.New(

internal/config/config.go

@@ -21,6 +21,8 @@ type Config struct {
 	// Rate limits don't apply to cache
 	RateLimitEvery float64 `env:"RATE_LIMIT_EVERY" env-default:"60" validate:"number,gt=0"`
 	RateLimitBurst int     `env:"RATE_LIMIT_BURST" env-default:"10" validate:"number,gte=0"`
+	// IP ranges of reverse proxies for correct real ip detection (cidr format, sep. by comma)
+	TrustedIpRanges []string `env:"TRUSTED_IP_RANGES" env-default:"" validate:"omitempty,dive,cidr"`
 }
 
 func Read() (Config, error) {