Removing X-Forwarded-For in RoundTripper, closes getlantern/lantern#3597

getlantern · Feb 18, 2016 · da5479a · da5479a
1 parent 6b3a86d
commit da5479a
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/src/github.com/getlantern/flashlight/client/reverseproxy.go b/src/github.com/getlantern/flashlight/client/reverseproxy.go
@@ -40,14 +40,13 @@ func (client *Client) newReverseProxy(bal *balancer.Balancer) *httputil.ReverseP
 		// field when upstream servers are trying to determine the client IP.
 		// We need to add also the X-Lantern-Device-Id field.
 		Director: func(req *http.Request) {
-			req.Header.Del("X-Forwarded-For")
 			req.Header.Set("X-LANTERN-DEVICE-ID", client.DeviceID)
 			for _, authToken := range allAuthTokens {
 				req.Header.Add("X-LANTERN-AUTH-TOKEN", authToken)
 			}
 		},
 		Transport: &errorRewritingRoundTripper{
-			withDumpHeaders(false, transport),
+			&noForwardedForRoundTripper{withDumpHeaders(false, transport)},
 		},
 		// Set a FlushInterval to prevent overly aggressive buffering of
 		// responses, which helps keep memory usage down
@@ -121,3 +120,19 @@ func (er *errorRewritingRoundTripper) RoundTrip(req *http.Request) (resp *http.R
 	}
 	return res, err
 }
+
+// noForwardedForRoundTripper is a RoundTripper that strips out the
+// X-Forwarded-For header that was generated by the ReverseProxy. This is
+// is necessary because the Lantern config server assigns clients to proxies
+// based on the client's IPs, and it assumes that the client's ip is the first
+// in the X-Forwarded-For list. If we didn't strip out the X-Forwarded-For here,
+// every client IP would appear to be 127.0.0.1, and every client would get
+// assigned to the same server.
+type noForwardedForRoundTripper struct {
+	wrapped http.RoundTripper
+}
+
+func (rt *noForwardedForRoundTripper) RoundTrip(req *http.Request) (resp *http.Response, err error) {
+	req.Header.Del("X-Forwarded-For")
+	return rt.wrapped.RoundTrip(req)
+}