Add Known Proxies to system configuration

Jellyfin.Server/Extensions/ApiServiceCollectionExtensions.cs

@@ -2,6 +2,7 @@ using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+using System.Net;
 using System.Reflection;
 using Jellyfin.Api.Auth;
 using Jellyfin.Api.Auth.DefaultAuthorizationPolicy;
@@ -17,7 +18,6 @@ using Jellyfin.Api.Constants;
 using Jellyfin.Api.Controllers;
 using Jellyfin.Server.Configuration;
 using Jellyfin.Server.Formatters;
-using Jellyfin.Server.Middleware;
 using MediaBrowser.Common.Json;
 using MediaBrowser.Model.Entities;
 using Microsoft.AspNetCore.Authentication;
@@ -28,6 +28,7 @@ using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.OpenApi.Models;
 using Swashbuckle.AspNetCore.SwaggerGen;
+using AuthenticationSchemes = Jellyfin.Api.Constants.AuthenticationSchemes;
 
 namespace Jellyfin.Server.Extensions
 {
@@ -136,8 +137,9 @@ namespace Jellyfin.Server.Extensions
         /// </summary>
         /// <param name="serviceCollection">The service collection.</param>
         /// <param name="pluginAssemblies">An IEnumerable containing all plugin assemblies with API controllers.</param>
+        /// <param name="knownProxies">A list of all known proxies to trust for X-Forwarded-For.</param>
         /// <returns>The MVC builder.</returns>
-        public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, IEnumerable<Assembly> pluginAssemblies)
+        public static IMvcBuilder AddJellyfinApi(this IServiceCollection serviceCollection, IEnumerable<Assembly> pluginAssemblies, IReadOnlyList<string> knownProxies)
         {
             IMvcBuilder mvcBuilder = serviceCollection
                 .AddCors()
@@ -145,6 +147,13 @@ namespace Jellyfin.Server.Extensions
                 .Configure<ForwardedHeadersOptions>(options =>
                 {
                     options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
+                    for (var i = 0; i < knownProxies.Count; i++)
+                    {
+                        if (IPAddress.TryParse(knownProxies[i], out var address))
+                        {
+                            options.KnownProxies.Add(address);
+                        }
+                    }
                 })
                 .AddMvc(opts =>
                 {

Jellyfin.Server/Startup.cs

@@ -52,7 +52,7 @@ namespace Jellyfin.Server
             {
                 options.HttpsPort = _serverApplicationHost.HttpsPort;
             });
-            services.AddJellyfinApi(_serverApplicationHost.GetApiPluginAssemblies());
+            services.AddJellyfinApi(_serverApplicationHost.GetApiPluginAssemblies(), _serverConfigurationManager.Configuration.KnownProxies);
 
             services.AddJellyfinApiSwagger();
 
@@ -103,6 +103,7 @@ namespace Jellyfin.Server
                     mainApp.UseDeveloperExceptionPage();
                 }
 
+                mainApp.UseForwardedHeaders();
                 mainApp.UseMiddleware<ExceptionMiddleware>();
 
                 mainApp.UseMiddleware<ResponseTimeMiddleware>();

MediaBrowser.Model/Configuration/ServerConfiguration.cs

@@ -268,6 +268,11 @@ namespace MediaBrowser.Model.Configuration
         /// </summary>
         public string[] CorsHosts { get; set; }
 
+        /// <summary>
+        /// Gets or sets the known proxies.
+        /// </summary>
+        public string[] KnownProxies { get; set; }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="ServerConfiguration" /> class.
         /// </summary>
@@ -378,6 +383,7 @@ namespace MediaBrowser.Model.Configuration
             EnableSlowResponseWarning = true;
             SlowResponseThresholdMs = 500;
             CorsHosts = new[] { "*" };
+            KnownProxies = Array.Empty<string>();
         }
     }