Add secure X-Forwarded header forwarding with trusted proxy validation to fix SSL redirect loop

[Copilot]

Fix infinite redirect loop with Akkoma's force_ssl configuration

Problem

When Akkoma has force_ssl: [rewrite_on: [:x_forwarded_proto]] enabled, it checks the X-Forwarded-Proto header to determine if the request is coming via HTTPS. If not set to https, Akkoma redirects to HTTPS. The proxy currently doesn't forward this header to upstream, causing Akkoma to always redirect, creating an infinite loop.

Solution

Implemented secure, opt-in X-Forwarded header forwarding with trusted proxy validation to fix the redirect loop while preventing header spoofing attacks.

Changes Made

1. Security-First Configuration (src/config.rs)

• Added forward_headers_enabled flag (default: false) - must be explicitly enabled
• Added trusted_proxies list for IP/CIDR validation
• Headers are only forwarded when both enabled AND from trusted sources
• Empty trusted_proxies list prevents all forwarding (secure default)

2. Trusted Proxy Validation (src/proxy.rs)

• IP/CIDR matching: Uses ipnetwork crate to validate client IPs against trusted proxy list
• Secure header forwarding logic:
  • From trusted sources: Forward all X-Forwarded-* headers as-is
  • From untrusted sources: Completely discard all X-Forwarded headers and set X-Forwarded-For to actual client IP only
• Added is_trusted_proxy() function for IP validation
• Added apply_forwarded_headers() function implementing security policy
• Updated proxy_handler to extract client IP via ConnectInfo

3. Server Infrastructure (src/main.rs)

• Added ConnectInfo layer to enable client IP extraction
• Updated router to use into_make_service_with_connect_info::<SocketAddr>()

4. Dependencies (Cargo.toml)

• Added ipnetwork = "0.20" for IP/CIDR parsing and validation

5. Comprehensive Testing

• Added 5 new test cases (23 total, all passing)
• Tests cover trusted/untrusted proxy scenarios
• Tests verify header forwarding, IP validation, and security properties

6. Documentation

• README.md: Added comprehensive section on X-Forwarded headers with security considerations and example configurations for common setups (nginx, Cloudflare)
• config.example.toml: Added detailed configuration examples with security guidance
• CHANGELOG.md: Documented security improvements, new features, and version 0.1.1 release

Security Improvements

• Opt-in by default: Feature disabled unless explicitly configured
• Trusted proxy validation: Only honors headers from configured trusted sources
• Header spoofing prevention: Untrusted sources cannot spoof X-Forwarded-Proto, X-Forwarded-For, or X-Forwarded-Host
• No malicious data preservation: Completely discards untrusted headers instead of appending to them
• Transparent logging: Debug logs show trusted/untrusted decisions

Breaking Changes

None - This is a backward-compatible change. The feature is disabled by default, maintaining existing behavior.

Migration Guide

To enable X-Forwarded header forwarding:

1. Set forward_headers_enabled = true in your config
2. Configure trusted_proxies with your reverse proxy IPs/CIDRs
3. Test with your setup (nginx, Cloudflare, etc.)

Example for nginx on localhost:

[server]
forward_headers_enabled = true
trusted_proxies = ["127.0.0.1", "::1"]

Version

Bumped to 0.1.1 with full release notes in CHANGELOG.md

Original prompt

fix the issue of the redirecting the same url never ends when force_ssl: [rewrite_on: [:x_forwarded_proto]] is enabled on akkoma

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[GrassBlock1]

@copilot help to bump the version code please

[Copilot]

@copilot help to bump the version code please

Bumped to version 0.1.1 in commit ad1c1c3. Updated Cargo.toml, CHANGELOG.md, README.md, and config.example.toml.

[Copilot]

Pull request overview

This PR updates the Rust-based Akkoma media proxy to forward X-Forwarded-* headers upstream to prevent infinite HTTPS redirect loops when Akkoma is configured with force_ssl: [rewrite_on: [:x_forwarded_proto]], alongside a version bump and documentation/release-note updates.

Changes:

• Forward X-Forwarded-Proto, X-Forwarded-For, and X-Forwarded-Host headers from incoming requests to the upstream request.
• Update docs and examples to document header forwarding and bump example via_header strings.
• Bump crate version to 0.1.1 and add 0.1.1 release notes to the changelog.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/proxy.rs	Adds forwarding of X-Forwarded-* headers to upstream; includes formatting-only refactors elsewhere.
src/main.rs	Formatting-only changes to imports/logging and server start call.
src/image.rs	Formatting-only refactors (no functional change).
src/config.rs	Import ordering and formatting-only changes.
src/cache.rs	Formatting-only changes in implementation/tests.
config.example.toml	Bumps example via_header version to 0.1.1.
README.md	Documents X-Forwarded header forwarding; bumps example version string.
Cargo.toml	Version bump to 0.1.1.
Cargo.lock	Locks version bump to 0.1.1.
CHANGELOG.md	Adds 0.1.1 entry and updates compare links.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.