From 90e2b5cecc44b7782dfa150d800bf83886b573c1 Mon Sep 17 00:00:00 2001
From: Daniel Aloni <daniel@globekeeper.com>
Date: Mon, 27 Feb 2023 19:01:28 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Do=20not=20store=20proxy=20ips?=
 =?UTF-8?q?=20as=20device's=20ip.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 internal/httputil/httpapi.go | 3 ++-
 syncapi/sync/requestpool.go  | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/internal/httputil/httpapi.go b/internal/httputil/httpapi.go
index c42a1dbd0..85ebf6176 100644
--- a/internal/httputil/httpapi.go
+++ b/internal/httputil/httpapi.go
@@ -240,7 +240,8 @@ func MakeExternalAPI(metricsName string, f func(*http.Request) util.JSONResponse
 		defer span.Finish()
 		req = req.WithContext(opentracing.ContextWithSpan(req.Context(), span))
 		if forwardedFor := req.Header.Get("X-Forwarded-For"); forwardedFor != "" {
-			req.RemoteAddr = forwardedFor
+			ips := strings.Split(forwardedFor, ", ")
+			req.RemoteAddr = ips[0]
 		}
 		h.ServeHTTP(nextWriter, req)
 
diff --git a/syncapi/sync/requestpool.go b/syncapi/sync/requestpool.go
index 57cd96871..046913750 100644
--- a/syncapi/sync/requestpool.go
+++ b/syncapi/sync/requestpool.go
@@ -192,7 +192,8 @@ func (rp *RequestPool) updateLastSeen(req *http.Request, device *userapi.Device)
 	}
 
 	if forwardedFor := req.Header.Get("X-Forwarded-For"); forwardedFor != "" {
-		req.RemoteAddr = forwardedFor
+		ips := strings.Split(forwardedFor, ", ")
+		req.RemoteAddr = ips[0]
 	}
 	remoteAddr := req.RemoteAddr
 	if rp.cfg.RealIPHeader != "" {