new TrustXForwardedFor option

AuthorHash.go

@@ -11,8 +11,16 @@ func RemoteAddrToIPAddress(remoteAddr string) string {
 	return strings.TrimRight(strings.TrimRight(remoteAddr, `0123456789`), `:`) // trim trailing port; IPv4 and IPv6-safe
 }
 
-func Author(r *http.Request) string {
+func Author(r *http.Request, trustXForwardedFor bool) string {
 	userAgentHash := md5.Sum([]byte(r.UserAgent()))
 
-	return RemoteAddrToIPAddress(r.RemoteAddr) + "-" + hex.EncodeToString(userAgentHash[:])[:6]
+	ipAddress := RemoteAddrToIPAddress(r.RemoteAddr)
+
+	if trustXForwardedFor {
+		if xff := r.Header.Get("X-Forwarded-For"); len(xff) > 0 {
+			ipAddress = xff
+		}
+	}
+
+	return ipAddress + "-" + hex.EncodeToString(userAgentHash[:])[:6]
 }

ServerOptions.go

@@ -13,6 +13,7 @@ type ServerOptions struct {
 	DBFilePath           string
 	FaviconFilePath      string
 	AllowDBDownload      bool
+	TrustXForwardedFor   bool // Introduced in 3.0.1 - default false
 	RecentChanges        int
 	RecentChangesRSS     int
 	GzipCompressionLevel int
@@ -32,6 +33,7 @@ func DefaultOptions() *ServerOptions {
 		DBFilePath:           "wiki.db",
 		FaviconFilePath:      "", // no favicon
 		AllowDBDownload:      true,
+		TrustXForwardedFor:   false,
 		RecentChanges:        20,
 		RecentChangesRSS:     10,
 		GzipCompressionLevel: 9,

WikiServer.go

@@ -255,7 +255,7 @@ func (this *WikiServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 
-			err = this.db.SaveArticle(title, Author(r), body, int64(expectRev))
+			err = this.db.SaveArticle(title, Author(r, this.opts.TrustXForwardedFor), body, int64(expectRev))
 			if err != nil {
 				this.serveErrorMessage(w, err)
 				return