From 201553033839811e1fdcd1e7f5fd588774c8c0b4 Mon Sep 17 00:00:00 2001
From: Noah Petherbridge <root@kirsle.net>
Date: Thu, 9 Jul 2015 23:14:44 -0700
Subject: [PATCH] Add support for X-Forwarded-For

---
 defaults.yml     | 7 +++++++
 rophako/utils.py | 8 ++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/defaults.yml b/defaults.yml
index 43b9b3f..fa294ec 100644
--- a/defaults.yml
+++ b/defaults.yml
@@ -73,6 +73,13 @@ rophako:
     # Password strength: number of iterations for bcrypt password.
     bcrypt_iterations: 12
 
+    # Proxy support. If you *KNOW* your web app will be behind a trusted proxy,
+    # such as a load balancer, you can make the app accept the X-Forwarded-For
+    # header to provide the user's real IP address. Do NOT set this if you are
+    # not behind a proxy, otherwise a malicious user could "spoof" their address
+    # by using this header.
+    use_forwarded_for: false
+
   ###
   # Mail Settings
   ###
diff --git a/rophako/utils.py b/rophako/utils.py
index cbdb674..dada1cc 100644
--- a/rophako/utils.py
+++ b/rophako/utils.py
@@ -286,10 +286,10 @@ def include(endpoint, *args, **kwargs):
 
 
 def remote_addr():
-    """Retrieve the end user's remote IP address."""
-
-    # TODO: eventually support configurations with X-Forwarded-For, but for
-    # now at least we're centralizing this in one spot.
+    """Retrieve the end user's remote IP address. If the site is configured
+    to honor X-Forwarded-For and this header is present, it's returned."""
+    if Config.security.use_forwarded_for:
+        return request.access_route[0]
     return request.remote_addr