From 773cd6d171099c5631a43008c7bb0967b0b2e204 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Wed, 3 Sep 2025 12:14:04 +0300
Subject: [PATCH] feat: add trusted proxies config value

---
 cmd/root.go                         | 1 +
 internal/bootstrap/app_bootstrap.go | 1 +
 internal/config/config.go           | 1 +
 3 files changed, 3 insertions(+)

diff --git a/cmd/root.go b/cmd/root.go
index 171e043..155ccd2 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -112,6 +112,7 @@ func init() {
 		{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
 		{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
 		{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file."},
+		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses) for correct client IP detection and for header ACLs."},
 	}
 
 	for _, opt := range configOptions {
diff --git a/internal/bootstrap/app_bootstrap.go b/internal/bootstrap/app_bootstrap.go
index d2ac1b0..0f967df 100644
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -146,6 +146,7 @@ func (app *BootstrapApp) Setup() error {
 
 	// Create engine
 	engine := gin.New()
+	engine.SetTrustedProxies(strings.Split(app.Config.TrustedProxies, ","))
 
 	if config.Version != "development" {
 		gin.SetMode(gin.ReleaseMode)
diff --git a/internal/config/config.go b/internal/config/config.go
index 82050de..f698746 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -53,6 +53,7 @@ type Config struct {
 	LdapSearchFilter        string `mapstructure:"ldap-search-filter"`
 	ResourcesDir            string `mapstructure:"resources-dir"`
 	DatabasePath            string `mapstructure:"database-path" validate:"required"`
+	TrustedProxies          string `mapstructure:"trusted-proxies"`
 }
 
 // OAuth/OIDC config