From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 9 Oct 2025 08:10:58 +0000 (+0000)
Subject: feat: Add client IP to proxy messages
X-Git-Tag: 3.14.0~86^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9535e3c96123460768bdd1e47ee8b46b84f25724;p=thirdparty%2Frspamd.git

feat: Add client IP to proxy messages

Co-authored-by: v <v@rspamd.com>
---

diff --git a/src/rspamd_proxy.c b/src/rspamd_proxy.c
index 0c09d11eb0..f588381ba8 100644
--- a/src/rspamd_proxy.c
+++ b/src/rspamd_proxy.c
@@ -244,6 +244,36 @@ struct rspamd_proxy_session {
 
 static gboolean proxy_send_master_message(struct rspamd_proxy_session *session);
 
+static void
+proxy_add_client_ip_header(struct rspamd_http_message *msg,
+						   struct rspamd_proxy_session *session)
+{
+	/* Add/overwrite IP header with the actual client IP */
+	rspamd_http_message_remove_header(msg, IP_ADDR_HEADER);
+	if (session->client_milter_conn && session->client_milter_conn->addr) {
+		/* For milter connections, use the address from the CONNECT command */
+		if (rspamd_inet_address_get_af(session->client_milter_conn->addr) != AF_UNIX) {
+			rspamd_http_message_add_header(msg, IP_ADDR_HEADER,
+										   rspamd_inet_address_to_string_pretty(session->client_milter_conn->addr));
+		}
+		else {
+			rspamd_http_message_add_header(msg, IP_ADDR_HEADER,
+										   rspamd_inet_address_to_string(session->client_milter_conn->addr));
+		}
+	}
+	else if (session->client_addr) {
+		/* For HTTP connections, use the client address */
+		if (rspamd_inet_address_get_af(session->client_addr) != AF_UNIX) {
+			rspamd_http_message_add_header(msg, IP_ADDR_HEADER,
+										   rspamd_inet_address_to_string_pretty(session->client_addr));
+		}
+		else {
+			rspamd_http_message_add_header(msg, IP_ADDR_HEADER,
+										   rspamd_inet_address_to_string(session->client_addr));
+		}
+	}
+}
+
 static GQuark
 rspamd_proxy_quark(void)
 {
@@ -1796,6 +1826,9 @@ proxy_open_mirror_connections(struct rspamd_proxy_session *session)
 						/* Add log tag header based on mirror's configuration */
 						rspamd_proxy_add_log_tag_header(msg, session, m->log_tag_type);
 
+						/* Add/overwrite IP header with the actual client IP */
+						proxy_add_client_ip_header(msg, session);
+
 						/* Set handlers for the connection */
 						conn->error_handler = proxy_backend_mirror_error_handler;
 						conn->finish_handler = proxy_backend_mirror_finish_handler;
@@ -1936,6 +1969,9 @@ proxy_open_mirror_connections(struct rspamd_proxy_session *session)
 		/* Add log tag header based on mirror's configuration */
 		rspamd_proxy_add_log_tag_header(msg, session, m->log_tag_type);
 
+		/* Add/overwrite IP header with the actual client IP */
+		proxy_add_client_ip_header(msg, session);
+
 		unsigned int http_opts = RSPAMD_HTTP_CLIENT_SIMPLE;
 
 		if (m->ssl) {
@@ -2655,6 +2691,9 @@ proxy_send_master_message(struct rspamd_proxy_session *session)
 		/* Add log tag header based on backend's configuration */
 		rspamd_proxy_add_log_tag_header(msg, session, backend->log_tag_type);
 
+		/* Add/overwrite IP header with the actual client IP */
+		proxy_add_client_ip_header(msg, session);
+
 		if (backend->local ||
 			rspamd_inet_address_is_local(
 				rspamd_upstream_addr_cur(