pixl-server-web 1.3.12 → 1.3.13

package/README.md

@@ -50,6 +50,7 @@ This module is a component for use in [pixl-server](https://www.github.com/jhuck
 	* [http_req_max_dump_enabled](#http_req_max_dump_enabled)
 	* [http_req_max_dump_dir](#http_req_max_dump_dir)
 	* [http_req_max_dump_debounce](#http_req_max_dump_debounce)
+	* [http_public_ip_offset](#http_public_ip_offset)
 	* [https](#https)
 	* [https_port](#https_port)
 	* [https_cert_file](#https_cert_file)
@@ -529,6 +530,19 @@ When the [Request Max Dump](#request-max-dump) system is enabled, the `http_req_
 
 When the [Request Max Dump](#request-max-dump) system is enabled, the `http_req_max_dump_debounce` property sets how many seconds should elapse between dumps, as to not overwhelm the filesystem.
 
+## http_public_ip_offset
+
+This controls how [args.ip](#argsip) is chosen from the list of IP addresses in [args.ips](#argsips) for each incoming request.  By default, the client IP is chosen by scanning the list from left to right, and selecting the first non-private IP.  However, [modern wisdom](https://adam-p.ca/blog/2022/03/x-forwarded-for/) suggests that alternate selection logic may be more desirable to find the true public IP.
+
+By setting `http_public_ip_offset` to an integer value, you can select *exactly* which IP to select from the list.  Use negative numbers to select IP address from the *end* (right side) of the list.  Here are the recommended values:
+
+| Offset | Description |
+|--------|-------------|
+| `0` | The default value.  Allow the server to select the public IP automatically. |
+| `-1` | Always select the *last* IP in the list (i.e. the TCP socket IP).  Use this mode if your server is connected to the internet directly. |
+| `-2` | Always select the *second-to-last* IP in the list.  Use this mode if you have a single proxy device in front of your server (e.g. a load balancer). |
+| `-3` | Always select the *third-to-last* IP in the list.  Use this mode if you have two proxy devices in front of your server (e.g. a load balancer and CDN / cache). |
+
 ## https
 
 This boolean allows you to enable HTTPS (SSL) support in the web server.  It defaults to `false`.  Note that you must also set `https_port`, and possibly `https_cert_file` and `https_key_file` for this to work.

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "pixl-server-web",
-	"version": "1.3.12",
+	"version": "1.3.13",
 	"description": "A web server component for the pixl-server framework.",
 	"author": "Joseph Huckaby <jhuckaby@gmail.com>",
 	"homepage": "https://github.com/jhuckaby/pixl-server-web",

package/test/test.js

@@ -1339,6 +1339,71 @@ module.exports = {
 			);
 		},
 		
+		// http_public_ip_offset
+		function testForwardedForOffsetNeg1(test) {
+			var self = this;
+			var web = this.web_server;
+			web.config.set('http_public_ip_offset', -1);
+			
+			request.json( 'http://127.0.0.1:3020/json', false, 
+				{
+					headers: {
+						"X-Forwarded-For": "1.2.3.4, 2.3.4.5, 3.4.5.6"
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( data.ip === "127.0.0.1", "Correct offset public IP in response: " + data.ip );
+					web.config.set('http_public_ip_offset', 0); // reset
+					test.done();
+				} 
+			);
+		},
+		function testForwardedForOffsetNeg2(test) {
+			var self = this;
+			var web = this.web_server;
+			web.config.set('http_public_ip_offset', -2);
+			
+			request.json( 'http://127.0.0.1:3020/json', false, 
+				{
+					headers: {
+						"X-Forwarded-For": "1.2.3.4, 2.3.4.5, 3.4.5.6"
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( data.ip === "3.4.5.6", "Correct offset public IP in response: " + data.ip );
+					web.config.set('http_public_ip_offset', 0); // reset
+					test.done();
+				} 
+			);
+		},
+		function testForwardedForOffsetNeg3(test) {
+			var self = this;
+			var web = this.web_server;
+			web.config.set('http_public_ip_offset', -3);
+			
+			request.json( 'http://127.0.0.1:3020/json', false, 
+				{
+					headers: {
+						"X-Forwarded-For": "1.2.3.4, 2.3.4.5, 3.4.5.6"
+					}
+				},
+				function(err, resp, data, perf) {
+					test.ok( !err, "No error from PixlRequest: " + err );
+					test.ok( !!resp, "Got resp from PixlRequest" );
+					test.ok( resp.statusCode == 200, "Got 200 response: " + resp.statusCode );
+					test.ok( data.ip === "2.3.4.5", "Correct offset public IP in response: " + data.ip );
+					web.config.set('http_public_ip_offset', 0); // reset
+					test.done();
+				} 
+			);
+		},
+		
 		// acl block
 		function testACL(test) {
 			request.get( 'http://127.0.0.1:3020/server-status', // ACL'ed endpoint

package/web_server.js

@@ -366,13 +366,22 @@ class WebServer extends Component {
 	
 	getPublicIP(ips) {
 		// filter out garbage that doesn't resemble ips
+		var public_ip_offset = this.config.get('http_public_ip_offset') || 0;
+		
 		var real_ips = ips.filter( function(ip) {
 			return ip.match( /^([\d\.]+|[a-f0-9:]+)$/ );
 		} );
 		
-		// determine first public IP from list of IPs
-		for (var idx = 0, len = real_ips.length; idx < len; idx++) {
-			if (!this.aclPrivateRanges.check(real_ips[idx])) return real_ips[idx];
+		if (public_ip_offset) {
+			// locate public IP using custom offset (usually negative, from end of list)
+			var temp = real_ips.slice( public_ip_offset, public_ip_offset + 1 || real_ips.length );
+			if (temp[0]) return temp[0];
+		}
+		else {
+			// determine first public IP from list of IPs
+			for (var idx = 0, len = real_ips.length; idx < len; idx++) {
+				if (!this.aclPrivateRanges.check(real_ips[idx])) return real_ips[idx];
+			}
 		}
 		
 		// default to first ip