From 21fc3f76c663f0b64e97e7ab701db38e3b08ee66 Mon Sep 17 00:00:00 2001
From: devld <devlduio@gmail.com>
Date: Wed, 11 Mar 2026 11:21:24 +0800
Subject: [PATCH 1/2] Add TrustedProxies configuration to support proxy IPs in
 Gin

---
 common/config.go |  6 ++++++
 docs/config.yml  | 15 +++++++++++++++
 server/server.go |  6 ++++++
 3 files changed, 27 insertions(+)

diff --git a/common/config.go b/common/config.go
index e85bfc60..7ee65940 100644
--- a/common/config.go
+++ b/common/config.go
@@ -70,6 +70,12 @@ const (
 type Config struct {
 	Listen string `yaml:"listen"`
 
+	// TrustedProxies is a list of trusted proxy IPs or CIDRs.
+	// When set, Gin will only trust X-Forwarded-For from these sources.
+	// When empty (default), proxy headers are not trusted and ClientIP()
+	// returns the direct remote address.
+	TrustedProxies []string `yaml:"trusted-proxies"`
+
 	Db DbConfig `yaml:"db"`
 
 	APIPath string `yaml:"api-path"`
diff --git a/docs/config.yml b/docs/config.yml
index 312baca0..b0c9ede0 100644
--- a/docs/config.yml
+++ b/docs/config.yml
@@ -1,6 +1,21 @@
 # The application will listen at this address
 listen: :8089
 
+# Trusted proxy IPs or CIDRs.
+# When set, Gin will only trust X-Forwarded-For headers from these sources
+# to determine the client IP. This is important for IP-based rate limiting
+# and logging to work correctly.
+# When empty or not set (default), proxy headers are NOT trusted and
+# ClientIP() returns the direct remote address (most secure default).
+# If go-drive is running behind a reverse proxy (e.g. Nginx), you MUST
+# configure this to include the proxy's IP/CIDR, otherwise the real
+# client IP will not be recognized.
+#trusted-proxies:
+#  - 127.0.0.1
+#  - 10.0.0.0/8
+#  - 172.16.0.0/12
+#  - 192.168.0.0/16
+
 db:
   # database type: currently supports sqlite, mysql
   type: sqlite
diff --git a/server/server.go b/server/server.go
index 2ecb8892..e7238d1b 100644
--- a/server/server.go
+++ b/server/server.go
@@ -55,6 +55,12 @@ func InitServer(config common.Config,
 
 	engine := gin.New()
 
+	if len(config.TrustedProxies) > 0 {
+		engine.SetTrustedProxies(config.TrustedProxies)
+	} else {
+		engine.SetTrustedProxies(nil)
+	}
+
 	engine.Use(gin.CustomRecovery(handlePanic))
 
 	if noLogRequest, _ := os.LookupEnv("NO_LOG_REQUEST"); noLogRequest == "" {

From f127ae9cb7645337d5978f23a6e6646a52512933 Mon Sep 17 00:00:00 2001
From: devld <devlduio@gmail.com>
Date: Wed, 11 Mar 2026 11:30:09 +0800
Subject: [PATCH 2/2] Handle error when setting trusted proxies in server
 initialization

---
 server/server.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/server.go b/server/server.go
index e7238d1b..095a6f36 100644
--- a/server/server.go
+++ b/server/server.go
@@ -56,7 +56,9 @@ func InitServer(config common.Config,
 	engine := gin.New()
 
 	if len(config.TrustedProxies) > 0 {
-		engine.SetTrustedProxies(config.TrustedProxies)
+		if e := engine.SetTrustedProxies(config.TrustedProxies); e != nil {
+			return nil, e
+		}
 	} else {
 		engine.SetTrustedProxies(nil)
 	}