From 4a2563654f7fd723c006e54e758870395ba5ca34 Mon Sep 17 00:00:00 2001
From: Anton Litvinov <jnashicq@gmail.com>
Date: Fri, 1 Sep 2023 16:49:24 +0400
Subject: [PATCH] Allow localhost-only routes to be used from host (#5867)

---
 tequilapi/http_api_server.go              | 4 ++++
 tequilapi/middlewares/http_middlewares.go | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/tequilapi/http_api_server.go b/tequilapi/http_api_server.go
index 9e8b774536..b566db09ee 100644
--- a/tequilapi/http_api_server.go
+++ b/tequilapi/http_api_server.go
@@ -80,6 +80,10 @@ func NewServer(
 		g.Use(middlewares.ApplyMiddlewareTokenAuth(authenticator))
 	}
 
+	// Set to protect localhost-only endpoints due to use of nodeUI proxy
+	// With this set, context.ClientIP() will return only IP set by trusted proxy, not by a client!
+	g.SetTrustedProxies([]string{"127.0.0.1"})
+
 	for _, h := range handlers {
 		err := h(g)
 		if err != nil {
diff --git a/tequilapi/middlewares/http_middlewares.go b/tequilapi/middlewares/http_middlewares.go
index e26c62c5c5..10620bd5ed 100644
--- a/tequilapi/middlewares/http_middlewares.go
+++ b/tequilapi/middlewares/http_middlewares.go
@@ -64,13 +64,13 @@ func NewHostFilter() func(*gin.Context) {
 
 // NewLocalhostOnlyFilter returns instance of middleware allowing only requests
 // with local client IP.
-// Don't forget to Engine.SetTrustedProxies() if reverse proxy is used.
 func NewLocalhostOnlyFilter() func(*gin.Context) {
 	return func(c *gin.Context) {
 
 		// ClientIP() parses the headers defined in Engine.RemoteIPHeaders if there is
-		clientIP := c.ClientIP()
-		if net.ParseIP(clientIP).IsLoopback() {
+		// so it handles clients behind proxy
+		isLocal := net.ParseIP(c.ClientIP()).IsLoopback()
+		if isLocal {
 			return
 		}