+ bool allowedorigin = false;
+ HTTPHeaderFinder originheader;
+ if (originheader.Find(recvq, "Origin:", 7, reqend))
+ {
+ const std::string origin = originheader.ExtractValue(recvq);
+ for (WebSocketConfig::OriginList::const_iterator iter = config.allowedorigins.begin(); iter != config.allowedorigins.end(); ++iter)
+ {
+ if (InspIRCd::Match(origin, *iter, ascii_case_insensitive_map))
+ {
+ allowedorigin = true;
+ break;
+ }
+ }
+ }
+
+ if (!allowedorigin)
+ {
+ FailHandshake(sock, "HTTP/1.1 403 Forbidden\r\nConnection: close\r\n\r\n", "WebSocket: Received HTTP request from a non-whitelisted origin");
+ return -1;
+ }
+
+ if (!config.proxyranges.empty() && sock->type == StreamSocket::SS_USER)
+ {
+ LocalUser* luser = static_cast<UserIOHandler*>(sock)->user;
+ irc::sockets::sockaddrs realsa(luser->client_sa);
+
+ HTTPHeaderFinder proxyheader;
+ if (proxyheader.Find(recvq, "X-Real-IP:", 10, reqend)
+ && irc::sockets::aptosa(proxyheader.ExtractValue(recvq), realsa.port(), realsa))
+ {
+ // Nothing to do here.
+ }
+ else if (proxyheader.Find(recvq, "X-Forwarded-For:", 16, reqend)
+ && irc::sockets::aptosa(proxyheader.ExtractValue(recvq), realsa.port(), realsa))
+ {
+ // Nothing to do here.
+ }
+
+ for (WebSocketConfig::ProxyRanges::const_iterator iter = config.proxyranges.begin(); iter != config.proxyranges.end(); ++iter)
+ {
+ if (InspIRCd::MatchCIDR(luser->GetIPString(), *iter, ascii_case_insensitive_map))
+ {
+ // Give the user their real IP address.
+ if (realsa != luser->client_sa)
+ luser->SetClientIP(realsa);
+ break;
+ }
+ }
+ }
+
+