7 files changed, 110 insertions, 26 deletions

diff --git a/Dockerfile b/Dockerfile
index 1ef3b07..5973ca7 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17 as builder
+FROM golang:1.24-alpine3.21 AS builder
 ENV GOPROXY=https://goproxy.io
 RUN apk update && apk upgrade
 RUN apk add go git
@@ -8,13 +8,6 @@ RUN cd /icanhazallips && go mod download
 COPY *.go /icanhazallips/
 RUN cd /icanhazallips && go build
 
-FROM alpine:3.17 as certbuilder
-RUN apk add openssl
-WORKDIR /certs
-RUN openssl req -nodes -new -x509 -subj="CN=icanhazallips.terminaldweller.com" -keyout server.key -out server.cert
-
-# FROM gcr.io/distroless/static-debian11
-FROM alpine:3.17
-COPY --from=certbuilder /certs /certs
+FROM alpine:3.21
 COPY --from=builder /icanhazallips/icanhazallips /icanhazallips/icanhazallips
 ENTRYPOINT ["/icanhazallips/icanhazallips"]
diff --git a/Dockerfile_nginx b/Dockerfile_nginx
new file mode 100644
index 0000000..55e8059
--- /dev/null
+++ b/Dockerfile_nginx
@@ -0,0 +1,7 @@
+FROM alpine:3.21 AS certbuilder
+RUN apk add openssl
+WORKDIR /certs
+RUN openssl req -nodes -new -x509 -subj="/CN=icanhazallips.terminaldweller.com" -keyout server.key -out server.cert
+
+FROM nginx:stable-alpine
+COPY --from=certbuilder /certs /certs
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 54ae340..22f5dd0 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,16 +1,19 @@
-version: "3"
 services:
   icanhazallips:
     image: icanhazallips
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
     build:
       context: .
     networks:
-      - mainnet
+      - haznet
     restart: unless-stopped
-    ports:
-      - target: 8080
-        published: 9380
-        mode: host
     entrypoint: ["/icanhazallips/icanhazallips"]
     cap_drop:
       - ALL
@@ -21,6 +24,34 @@ services:
       - APP_READ_TIMEOUT=5
       - APP_WRITE_TIMEOUT=5
       - APP_IDLE_TIMEOUT=5
+  nginx:
+    image: haz_nginx
+    deploy:
+      resources:
+        limits:
+          memory: 256M
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+    build:
+      context: .
+      dockerfile: Dockerfile_nginx
+    ports:
+      - "9380:443"
+    networks:
+      - haznet
+    restart: unless-stopped
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - DAC_OVERRIDE
+      - SETGID
+      - SETUID
+      - NET_BIND_SERVICE
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
 networks:
-  mainnet:
+  haznet:
     driver: bridge
diff --git a/go.mod b/go.mod
index 6f0768c..e8954e0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,5 @@
 module icanhazallips
 
-go 1.19
+go 1.24.0
+
+require github.com/pires/go-proxyproto v0.8.0
diff --git a/go.sum b/go.sum
new file mode 100644
index 0000000..dcd5ca4
--- /dev/null
+++ b/go.sum
@@ -0,0 +1,2 @@
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
diff --git a/icanhazallips.go b/main.go
index 684fea8..140c912 100644
--- a/icanhazallips.go
+++ b/main.go
@@ -2,7 +2,6 @@
 package main
 
 import (
-	"crypto/tls"
 	"errors"
 	"log"
 	"net"
@@ -11,6 +10,8 @@ import (
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/pires/go-proxyproto"
 )
 
 const (
@@ -35,6 +36,8 @@ func getDefaultOptions() map[string]float64 {
 }
 
 func getIP(request *http.Request) (string, error) {
+	log.Println("X-Forwarded-For:", request.Header.Get("X-Forwarded-For"))
+	log.Println("X-Real-IP:", request.Header.Get("X-Real-IP"))
 	ips := request.Header.Get("X-Forwarded-For")
 	splitIps := strings.Split(ips, ",")
 
@@ -42,6 +45,7 @@ func getIP(request *http.Request) (string, error) {
 
 	if len(splitIps) > 0 {
 		netIP := net.ParseIP(splitIps[len(splitIps)-1])
+		log.Println("one:", netIP.String())
 		if netIP != nil {
 			return netIP.String(), nil
 		}
@@ -58,6 +62,7 @@ func getIP(request *http.Request) (string, error) {
 			return "127.0.0.1", nil
 		}
 
+		log.Println("two:", ip)
 		return ip, nil
 	}
 
@@ -156,12 +161,6 @@ func main() {
 		log.Fatal(errBadConfig)
 	}
 
-	tlsConfig := &tls.Config{
-		MinVersion:               tls.VersionTLS13,
-		CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
-		PreferServerCipherSuites: true,
-	}
-
 	server := http.Server{
 		Addr:              config.Addr,
 		ReadHeaderTimeout: time.Duration(config.ReadHeaderTimeout) * time.Second,
@@ -171,8 +170,18 @@ func main() {
 		TLSNextProto:      nil,
 		ErrorLog:          nil,
 		Handler:           nil,
-		TLSConfig:         tlsConfig,
 	}
 
-	log.Fatal(server.ListenAndServeTLS("/certs/server.cert", "/certs/server.key"))
+	ln, err := net.Listen("tcp", config.Addr)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	proxyListener := &proxyproto.Listener{
+		Listener:          ln,
+		ReadHeaderTimeout: time.Duration(config.ReadHeaderTimeout) * time.Second,
+	}
+	defer proxyListener.Close()
+
+	log.Fatal(server.Serve(proxyListener))
 }
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..b18cafc
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,40 @@
+events {
+  worker_connections 4096;
+}
+
+http {
+  include /etc/nginx/mime.types;
+  server_tokens off;
+  limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
+
+  server {
+    listen 443 ssl;
+    keepalive_timeout 60;
+    charset utf-8;
+    ssl_certificate /certs/server.cert;
+    ssl_certificate_key /certs/server.key;
+    ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_protocols TLSv1.3;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+    ssl_prefer_server_ciphers on;
+    tcp_nopush on;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer";
+    fastcgi_hide_header X-Powered-By;
+
+    error_page 401 403 404 /404.html;
+    location / {
+      proxy_pass http://icanhazallips:8080;
+      proxy_set_header Host $host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto https;
+    }
+  }
+}