api9nin / custom-server.js
github-actions[bot]
deploy from github actions 2026-06-18
c8ae75d
Raw
History Blame Contribute Delete
1.21 kB
const http = require("http");
const origCreate = http.createServer.bind(http);
// Wrap Next standalone HTTP server: derive client IP from the TCP socket
// (unspoofable) and strip client-supplied forwarding headers so downstream
// rate-limiting keys on the real peer address instead of attacker-controlled XFF.
http.createServer = (...args) => {
const handler = args.find((a) => typeof a === "function");
const rest = args.filter((a) => typeof a !== "function");
if (!handler) return origCreate(...args);
const wrapped = (req, res) => {
const ip = req.socket && req.socket.remoteAddress ? req.socket.remoteAddress : "";
// Forwarding headers present = request arrived via a reverse proxy; loopback
// socket is the proxy hop, not the end-user, so it must not be trusted as local.
const viaProxy = !!(req.headers["x-forwarded-for"] || req.headers["x-real-ip"]);
delete req.headers["x-9r-real-ip"];
delete req.headers["x-forwarded-for"];
delete req.headers["x-9r-via-proxy"];
req.headers["x-9r-real-ip"] = ip;
if (viaProxy) req.headers["x-9r-via-proxy"] = "1";
return handler(req, res);
};
return origCreate(...rest, wrapped);
};
require("./server.js");