network: add trusted ips

This allows the user to set trusted ips to Cloudflare or some other CDN
and have the logs have the correct IPs.

fixes #801

src/reverseproxy.js

@@ -27,7 +27,10 @@ exports = module.exports = {
     removeAppConfigs,
     restoreFallbackCertificates,
 
-    handleCertificateProviderChanged
+    handleCertificateProviderChanged,
+
+    getTrustedIps,
+    setTrustedIps
 };
 
 const acme2 = require('./acme2.js'),
@@ -52,7 +55,8 @@ const acme2 = require('./acme2.js'),
     settings = require('./settings.js'),
     shell = require('./shell.js'),
     sysinfo = require('./sysinfo.js'),
-    util = require('util');
+    util = require('util'),
+    validator = require('validator');
 
 const NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/nginxconfig.ejs', { encoding: 'utf8' });
 const RESTART_SERVICE_CMD = path.join(__dirname, 'scripts/restartservice.sh');
@@ -728,3 +732,25 @@ async function handleCertificateProviderChanged(domain) {
 
     safe.fs.appendFileSync(paths.REVERSE_PROXY_REBUILD_FILE, `${domain}\n`, 'utf8');
 }
+
+async function getTrustedIps() {
+    return await settings.getTrustedIps();
+}
+
+async function setTrustedIps(trustedIps) {
+    assert.strictEqual(typeof trustedIps, 'string');
+
+    let trustedIpsConfig = 'real_ip_header X-Forwarded-For;\nreal_ip_recursive on;\n';
+
+    for (const line of trustedIps.split('\n')) {
+        if (!line || line.startsWith('#')) continue;
+        const rangeOrIP = line.trim();
+        // this checks for IPv4 and IPv6
+        if (!validator.isIP(rangeOrIP) && !validator.isIPRange(rangeOrIP)) throw new BoxError(BoxError.BAD_FIELD, `${rangeOrIP} is not a valid IP or range`);
+        trustedIpsConfig += `set_real_ip_from ${rangeOrIP};\n`;
+    }
+
+    await settings.setTrustedIps(trustedIps);
+    if (!safe.fs.writeFileSync(paths.NGINX_TRUSTED_IPS_FILE, trustedIpsConfig, 'utf8')) throw new BoxError(BoxError.FS_ERROR, safe.error.message);
+    await reload();
+}