Get IP from "standard" HTTP headers

[S7evinK]

...

But, if I may, do you think Dendrite should perhaps auto-try any of the standard "this is the client's real IP" headers automatically? Do you see any downsides in doing that? For what it's worth, from my limited self-hosting experience, many applications do it automatically, given the current trends in hosting stuff (everything behind reverse proxy or ingress or whatever)

Best regards
Zbig

Originally posted by @zbig-t in #3286 (comment)

[S7evinK]

Change somewhere here (or in this file):

dendrite/syncapi/sync/requestpool.go

Lines 176 to 204 in d65449c

	func (rp *RequestPool) updateLastSeen(req *http.Request, device *userapi.Device) {
	if _, ok := rp.lastseen.LoadOrStore(device.UserID+device.ID, struct{}{}); ok {
	return
	}
	remoteAddr := req.RemoteAddr
	if rp.cfg.RealIPHeader != "" {
	if header := req.Header.Get(rp.cfg.RealIPHeader); header != "" {
	// TODO: Maybe this isn't great but it will satisfy both X-Real-IP
	// and X-Forwarded-For (which can be a list where the real client
	// address is the first listed address). Make more intelligent?
	addresses := strings.Split(header, ",")
	if ip := net.ParseIP(addresses[0]); ip != nil {
	remoteAddr = addresses[0]
	}
	}
	}
	lsreq := &userapi.PerformLastSeenUpdateRequest{
	UserID: device.UserID,
	DeviceID: device.ID,
	RemoteAddr: remoteAddr,
	UserAgent: req.UserAgent(),
	}
	lsres := &userapi.PerformLastSeenUpdateResponse{}
	go rp.userAPI.PerformLastSeenUpdate(req.Context(), lsreq, lsres) // nolint:errcheck
	rp.lastseen.Store(device.UserID+device.ID, time.Now())
	}

[zbig-t]

Thanks, I think (hope) that's not beyond my abilities. Will create a PR once I mange to take care of that.

[Curious-r]

I think it's necessary.
Now I'm use X-Forwarded-For instead of X-Real-ip, because the former exists in a lot of reverse proxies as a standard header。

[bones-was-here]

None of these headers are safe to trust in the default configuration, unless Dendrite will never use the information for anything important.

To be trustworthy the IP header must be set by a trusted reverse proxy that also discards any (potentially spoofed) information it receives in these headers. The various proxy implementations have different default behaviours, might not be using their defaults, or the admin might not be using a proxy at all.