switch to Mojolicious::Plugin::ForwardedFor to get client IP

Other alternatives suffer from various defaults:
- Mojolicious::Plugin::ClientIP doesn't handle IPv6
- Mojolicious::Plugin::ClientIP::Pluggable exclude private addresses

README.md

@@ -23,7 +23,7 @@ It requires the following CPAN distributions:
 * Locale-Maketext-Lexicon
 * Mojolicious
 * Mojolicious-Plugin-INIConfig
-* Mojolicious-Plugin-ClientIP
+* Mojolicious-Plugin-ForwardedFor
 * Mojolicious-Plugin-TemplateToolkit
 * Rose-DB-Object
 * Syntax-Keyword-Try

conf/manager.conf

@@ -3,7 +3,6 @@ support_email = support@my.fqdn
 name = eduGAIN Access Check
 url = https://access-check.my.fqdn
 login_url = https://access-check.my.fqdn/Shibboleth.sso/Login
-proxies =
 
 [setup]
 # templates theme

lib/AccessCheck/App.pm

@@ -42,11 +42,7 @@ sub startup {
     );
 
     $self->plugin(
-        'ClientIP',
-        {
-            private => [ '127.0.0.0/8' ],
-            ignore  => [ $self->string_to_list($config->{app}->{proxies}) ]
-        }
+        'ForwardedFor',
     );
 
     $self->log(

lib/AccessCheck/App/Status.pm

@@ -41,7 +41,7 @@ sub run {
         return;
     }
 
-    my $client_ip   = $self->client_ip();
+    my $client_ip   = $self->forwarded_for();
     my @allowed_ips = $self->string_to_list($config->{status}->{allowed});
 
     if (none { network_contains($_, $client_ip) } @allowed_ips) {

lib/AccessCheck/App/Step3.pm

@@ -112,7 +112,7 @@ sub run {
             name          => $config->{app}->{name},
         },
         user          => $user->{name},
-        source_ip     => $self->client_ip(),
+        source_ip     => $self->forwarded_for(),
         idp           => { entityid => $user->{idp}, },
         sp            => { entityid => $entityid, },
         to            => $email,

systemd/access-check.sysconfig.in

@@ -3,3 +3,4 @@ ACCESS_CHECK_SERVER=daemon
 ACCESS_CHECK_URL=http://127.0.0.1:3000
 ACCESS_CHECK_OPTIONS=
 ACCESS_CHECK_CONFIG=@confdir@/manager.conf
+MOJO_REVERSE_PROXY=1