From 2fd2d68a9e160f5f2b1c0178a5208f5e118ba55e Mon Sep 17 00:00:00 2001
From: Bojan Kucera <boki@stare.gg>
Date: Thu, 5 Jun 2025 22:33:16 -0400
Subject: [PATCH] more aggresive ip check

---
 k8s-ingress.yaml | 12 ++++++++----
 src/index.ts     | 34 ++++++++++++++++++++++++++--------
 2 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/k8s-ingress.yaml b/k8s-ingress.yaml
index a0768fd..7e428e5 100644
--- a/k8s-ingress.yaml
+++ b/k8s-ingress.yaml
@@ -6,10 +6,14 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-prod
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/use-real-ip: "true"
-    nginx.ingress.kubernetes.io/real-ip-header: "X-Forwarded-For"
-    nginx.ingress.kubernetes.io/forwarded-for-header: "X-Forwarded-For"
-    nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
+    # Aggressive real IP configuration
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "X-Real-IP $remote_addr";
+      more_set_headers "X-Forwarded-For $proxy_add_x_forwarded_for";
+    nginx.ingress.kubernetes.io/server-snippet: |
+      set_real_ip_from 0.0.0.0/0;
+      real_ip_header X-Forwarded-For;
+      real_ip_recursive on;
   labels:
     app: proxy-detection-api
 spec:
diff --git a/src/index.ts b/src/index.ts
index fd06248..f737cb6 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -36,6 +36,7 @@ function getClientIP(request: FastifyRequest): string {
     headers['cf-connecting-ip']?.toString(),                    // Cloudflare
     headers['true-client-ip']?.toString(),                      // Akamai/other CDNs
     headers['x-forwarded-for']?.toString().split(',')[0]?.trim(), // Most common
+    headers['x-original-forwarded-for']?.toString().split(',')[0]?.trim(), // Original
     headers['x-client-ip']?.toString(),                         // Apache
     headers['x-cluster-client-ip']?.toString(),                 // Cluster
     headers['forwarded']?.toString().match(/for=([^;,\s]+)/)?.[1], // RFC 7239
@@ -43,17 +44,34 @@ function getClientIP(request: FastifyRequest): string {
     request.socket.remoteAddress                    // Socket
   ];
   
-  // Filter out internal/private IPs and return first public IP
-  for (const ip of ipSources) {
-    if (ip && ip !== 'unknown' && !isPrivateIP(ip)) {
-      return ip;
-    }
-  }
-  
-  // If no public IP found, return the first non-unknown IP
+  // Don't filter private IPs for now - let's see what we get
   return ipSources.find(ip => ip && ip !== 'unknown') || 'unknown';
 }
 
+// Add a more detailed debug endpoint
+fastify.get('/ip-debug-detailed', async (request) => {
+  const headers = request.headers;
+  
+  return {
+    allSources: {
+      'cf-connecting-ip': headers['cf-connecting-ip'],
+      'true-client-ip': headers['true-client-ip'],
+      'x-forwarded-for': headers['x-forwarded-for'],
+      'x-original-forwarded-for': headers['x-original-forwarded-for'],
+      'x-client-ip': headers['x-client-ip'],
+      'x-real-ip': headers['x-real-ip'],
+      'x-cluster-client-ip': headers['x-cluster-client-ip'],
+      'forwarded': headers['forwarded'],
+      'fastify-ip': request.ip,
+      'socket-remote': request.socket.remoteAddress
+    },
+    detectedClientIP: getClientIP(request),
+    fastifyIPs: request.ips,
+    allHeaders: headers,
+    timestamp: Date.now()
+  };
+});
+
 // Check if IP is private/internal
 function isPrivateIP(ip: string): boolean {
   if (!ip || ip === 'unknown') return true;