From 7aac0a0f9f1212a154a6188affce0f0ee2bb2ec7 Mon Sep 17 00:00:00 2001
From: calzoneman <calzoneman@gmail.com>
Date: Sat, 6 Jul 2013 13:00:02 -0400
Subject: [PATCH] Fix a bug with IP forwarding

---
 config.js    |  9 +++++++++
 package.json |  2 +-
 server.js    | 24 ++++++++++++++++--------
 3 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/config.js b/config.js
index afe81827..64476f7e 100644
--- a/config.js
+++ b/config.js
@@ -18,6 +18,15 @@ exports.WEBSERVER_PORT = 8080; // Webserver port.  Binding port 80 requires root
 exports.MAX_PER_IP = 10;
 exports.GUEST_LOGIN_DELAY = 60; // Seconds
 
+/*
+    Set to true if you are behind a reverse proxy (e.g. Cloudflare)
+    so that client IPs are passed through correctly.
+
+    If you are not behind a reverse proxy, leave it as false, otherwise
+    clients can fake their IP address in the x-forwarded-for header
+*/
+exports.REVERSE_PROXY = false;
+
 var nodemailer = require("nodemailer");
 exports.MAIL = false;
 /* Example for setting up email:
diff --git a/package.json b/package.json
index 25d2455f..ee891dc1 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
     "author": "Calvin Montgomery",
     "name": "CyTube",
     "description": "Online media synchronizer and chat",
-    "version": "2.0.2",
+    "version": "2.0.3",
     "repository": {
         "url": "http://github.com/calzoneman/sync"
     },
diff --git a/server.js b/server.js
index c5b3e83b..2cccd70f 100644
--- a/server.js
+++ b/server.js
@@ -9,7 +9,7 @@ The above copyright notice and this permission notice shall be included in all c
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */
 
-const VERSION = "2.0.2";
+const VERSION = "2.0.3";
 
 var fs = require("fs");
 var Logger = require("./logger.js");
@@ -36,15 +36,15 @@ app.get("/api/:apireq(*)", function(req, res, next) {
 });
 
 function getClientIP(req) {
-    var ip;
+    var ip = false;
+    var raw = req.connection.remoteAddress;
     var forward = req.header("x-forwarded-for");
-    if(forward) {
+    if(Config.REVERSE_PROXY && forward) {
         ip = forward.split(",")[0];
+        Logger.syslog.log("/" + ip + " is proxied by /" + raw);
+        return ip;
     }
-    if(!ip) {
-        ip = req.connection.remoteAddress;
-    }
-    return ip;
+    return raw;
 }
 
 app.get("/nws/connect", function(req, res, next) {
@@ -128,7 +128,15 @@ fs.exists("chanlogs", function(exists) {
 });
 
 function getSocketIP(socket) {
-    return socket.handshake.headers["x-forwarded-for"] || socket.handshake.address.address;
+    var raw = socket.handshake.address.address;
+    if(Config.REVERSE_PROXY) {
+        if(typeof socket.handshake.headers["x-forwarded-for"] == "string") {
+            var ip = socket.handshake.headers["x-forwarded-for"].split(",")[0];
+            Logger.syslog.log("/" + ip + " is proxied by /" + raw);
+            return ip;
+        }
+    }
+    return socket.handshake.address.address;
 }
 
 exports.io.sockets.on("connection", function(socket) {