From a8b7809dda1773f85c110f32bba31c43371475b3 Mon Sep 17 00:00:00 2001
From: Guillaume Rousse <guillaume.rousse@renater.fr>
Date: Wed, 13 Apr 2022 11:17:21 +0200
Subject: [PATCH] switch to Mojolicious::Plugin::ForwardedFor to get client IP

Other alternatives suffer from various defaults:
- Mojolicious::Plugin::ClientIP doesn't handle IPv6
- Mojolicious::Plugin::ClientIP::Pluggable exclude private addresses
---
 README.md                         | 2 +-
 conf/manager.conf                 | 1 -
 lib/AccessCheck/App.pm            | 6 +-----
 lib/AccessCheck/App/Status.pm     | 2 +-
 lib/AccessCheck/App/Step3.pm      | 2 +-
 systemd/access-check.sysconfig.in | 1 +
 6 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 9e0e99e..d22ebba 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ It requires the following CPAN distributions:
 * Locale-Maketext-Lexicon
 * Mojolicious
 * Mojolicious-Plugin-INIConfig
-* Mojolicious-Plugin-ClientIP
+* Mojolicious-Plugin-ForwardedFor
 * Mojolicious-Plugin-TemplateToolkit
 * Rose-DB-Object
 * Syntax-Keyword-Try
diff --git a/conf/manager.conf b/conf/manager.conf
index 162676f..292af27 100644
--- a/conf/manager.conf
+++ b/conf/manager.conf
@@ -3,7 +3,6 @@ support_email = support@my.fqdn
 name = eduGAIN Access Check
 url = https://access-check.my.fqdn
 login_url = https://access-check.my.fqdn/Shibboleth.sso/Login
-proxies =
 
 [setup]
 # templates theme
diff --git a/lib/AccessCheck/App.pm b/lib/AccessCheck/App.pm
index 428e3cb..8799bf5 100644
--- a/lib/AccessCheck/App.pm
+++ b/lib/AccessCheck/App.pm
@@ -42,11 +42,7 @@ sub startup {
     );
 
     $self->plugin(
-        'ClientIP',
-        {
-            private => [ '127.0.0.0/8' ],
-            ignore  => [ $self->string_to_list($config->{app}->{proxies}) ]
-        }
+        'ForwardedFor',
     );
 
     $self->log(
diff --git a/lib/AccessCheck/App/Status.pm b/lib/AccessCheck/App/Status.pm
index 2631354..b4bea27 100644
--- a/lib/AccessCheck/App/Status.pm
+++ b/lib/AccessCheck/App/Status.pm
@@ -41,7 +41,7 @@ sub run {
         return;
     }
 
-    my $client_ip   = $self->client_ip();
+    my $client_ip   = $self->forwarded_for();
     my @allowed_ips = $self->string_to_list($config->{status}->{allowed});
 
     if (none { network_contains($_, $client_ip) } @allowed_ips) {
diff --git a/lib/AccessCheck/App/Step3.pm b/lib/AccessCheck/App/Step3.pm
index 83e68d5..568d5fc 100644
--- a/lib/AccessCheck/App/Step3.pm
+++ b/lib/AccessCheck/App/Step3.pm
@@ -112,7 +112,7 @@ sub run {
             name          => $config->{app}->{name},
         },
         user          => $user->{name},
-        source_ip     => $self->client_ip(),
+        source_ip     => $self->forwarded_for(),
         idp           => { entityid => $user->{idp}, },
         sp            => { entityid => $entityid, },
         to            => $email,
diff --git a/systemd/access-check.sysconfig.in b/systemd/access-check.sysconfig.in
index cd44c65..d150a34 100644
--- a/systemd/access-check.sysconfig.in
+++ b/systemd/access-check.sysconfig.in
@@ -3,3 +3,4 @@ ACCESS_CHECK_SERVER=daemon
 ACCESS_CHECK_URL=http://127.0.0.1:3000
 ACCESS_CHECK_OPTIONS=
 ACCESS_CHECK_CONFIG=@confdir@/manager.conf
+MOJO_REVERSE_PROXY=1
-- 
GitLab