Sockopt config: Add trustedXForwardedFor (for XHTTP, WS, HU inbounds) (#5331)

Fixes https://github.com/XTLS/Xray-core/pull/5101#issuecomment-3404979909

transport/internet/splithttp/hub.go

@@ -27,13 +27,14 @@ import (
 )
 
 type requestHandler struct {
-	config    *Config
-	host      string
-	path      string
-	ln        *Listener
-	sessionMu *sync.Mutex
-	sessions  sync.Map
-	localAddr net.Addr
+	config         *Config
+	host           string
+	path           string
+	ln             *Listener
+	sessionMu      *sync.Mutex
+	sessions       sync.Map
+	localAddr      net.Addr
+	socketSettings *internet.SocketConfig
 }
 
 type httpSession struct {
@@ -139,7 +140,17 @@ func (h *requestHandler) ServeHTTP(writer http.ResponseWriter, request *http.Req
 		return
 	}
 
-	forwardedAddrs := http_proto.ParseXForwardedFor(request.Header)
+	var forwardedAddrs []net.Address
+	if h.socketSettings != nil && len(h.socketSettings.TrustedXForwardedFor) > 0 {
+		for _, key := range h.socketSettings.TrustedXForwardedFor {
+			if len(request.Header.Values(key)) > 0 {
+				forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+				break
+			}
+		}
+	} else {
+		forwardedAddrs = http_proto.ParseXForwardedFor(request.Header)
+	}
 	var remoteAddr net.Addr
 	var err error
 	remoteAddr, err = net.ResolveTCPAddr("tcp", request.RemoteAddr)
@@ -356,12 +367,13 @@ func ListenXH(ctx context.Context, address net.Address, port net.Port, streamSet
 		}
 	}
 	handler := &requestHandler{
-		config:    l.config,
-		host:      l.config.Host,
-		path:      l.config.GetNormalizedPath(),
-		ln:        l,
-		sessionMu: &sync.Mutex{},
-		sessions:  sync.Map{},
+		config:         l.config,
+		host:           l.config.Host,
+		path:           l.config.GetNormalizedPath(),
+		ln:             l,
+		sessionMu:      &sync.Mutex{},
+		sessions:       sync.Map{},
+		socketSettings: streamSettings.SocketSettings,
 	}
 	tlsConfig := getTLSConfig(streamSettings)
 	l.isH3 = len(tlsConfig.NextProtos) == 1 && tlsConfig.NextProtos[0] == "h3"