2 files changed, 21 insertions, 1 deletions

diff --git a/CHANGES b/CHANGES
index 4233488a..b91aced8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -42,6 +42,7 @@ TRUNK
 - mod_blocklist: New option 'migrate_legacy_blocking' to disable migration from mod_privacy
 - Ability to use SQLite3 storage using LuaSQLite3 instead of LuaDBI
 - Moved all modules into the Lua namespace `prosody.`
+- Forwarded header from RFC 7239 supported
 
 ## Removed
 
diff --git a/plugins/mod_http.lua b/plugins/mod_http.lua
index b7912019..edf220a8 100644
--- a/plugins/mod_http.lua
+++ b/plugins/mod_http.lua
@@ -15,7 +15,8 @@ local portmanager = require "prosody.core.portmanager";
 local moduleapi = require "prosody.core.moduleapi";
 local url_parse = require "socket.url".parse;
 local url_build = require "socket.url".build;
-local normalize_path = require "prosody.util.http".normalize_path;
+local http_util = require "prosody.util.http";
+local normalize_path = http_util.normalize_path;
 local set = require "prosody.util.set";
 local array = require "util.array";
 
@@ -319,6 +320,24 @@ end
 local function get_forwarded_connection_info(request) --> ip:string, secure:boolean
 	local ip = request.ip;
 	local secure = request.secure; -- set by net.http.server
+
+	local forwarded = http_util.parse_forwarded(request.headers.forwarded);
+	if forwarded then
+		request.forwarded = forwarded;
+		for i = #forwarded, 1, -1 do
+			local proxy = forwarded[i]
+			if is_trusted_proxy(ip) then
+				ip = normal_ip(proxy["for"]);
+				secure = secure and proxy.proto == "https";
+			else
+				break
+			end
+		end
+
+		-- Ignore legacy X-Forwarded-For and X-Forwarded-Proto, handling both seems unfeasible.
+		return ip, secure;
+	end
+
 	local forwarded_for = request.headers.x_forwarded_for;
 	if forwarded_for then
 		-- luacheck: ignore 631