From bb2bda1379b7f669e44e758f3de558ec9cb602b3 Mon Sep 17 00:00:00 2001
From: Josh Patra <joshpatra12@gmail.com>
Date: Mon, 2 Feb 2026 20:14:11 -0500
Subject: [PATCH] x-forwarded-for headers

---
 .../Services/Jellyfin/JellyfinProxyService.cs | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/allstarr/Services/Jellyfin/JellyfinProxyService.cs b/allstarr/Services/Jellyfin/JellyfinProxyService.cs
index 4e675ed..dd65c58 100644
--- a/allstarr/Services/Jellyfin/JellyfinProxyService.cs
+++ b/allstarr/Services/Jellyfin/JellyfinProxyService.cs
@@ -146,6 +146,17 @@ public class JellyfinProxyService
     {
         using var request = new HttpRequestMessage(HttpMethod.Get, url);
         
+        // Forward client IP address to Jellyfin so it can identify the real client
+        if (_httpContextAccessor.HttpContext != null)
+        {
+            var clientIp = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress?.ToString();
+            if (!string.IsNullOrEmpty(clientIp))
+            {
+                request.Headers.TryAddWithoutValidation("X-Forwarded-For", clientIp);
+                request.Headers.TryAddWithoutValidation("X-Real-IP", clientIp);
+            }
+        }
+        
         bool authHeaderAdded = false;
         
         // Check if this is a browser request for static assets (favicon, etc.)
@@ -262,6 +273,17 @@ public class JellyfinProxyService
         
         using var request = new HttpRequestMessage(HttpMethod.Post, url);
         
+        // Forward client IP address to Jellyfin so it can identify the real client
+        if (_httpContextAccessor.HttpContext != null)
+        {
+            var clientIp = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress?.ToString();
+            if (!string.IsNullOrEmpty(clientIp))
+            {
+                request.Headers.TryAddWithoutValidation("X-Forwarded-For", clientIp);
+                request.Headers.TryAddWithoutValidation("X-Real-IP", clientIp);
+            }
+        }
+        
         // Handle special case for playback endpoints - Jellyfin expects wrapped body
         var bodyToSend = body;
         if (!string.IsNullOrWhiteSpace(body))
@@ -424,6 +446,17 @@ public class JellyfinProxyService
         
         using var request = new HttpRequestMessage(HttpMethod.Delete, url);
         
+        // Forward client IP address to Jellyfin so it can identify the real client
+        if (_httpContextAccessor.HttpContext != null)
+        {
+            var clientIp = _httpContextAccessor.HttpContext.Connection.RemoteIpAddress?.ToString();
+            if (!string.IsNullOrEmpty(clientIp))
+            {
+                request.Headers.TryAddWithoutValidation("X-Forwarded-For", clientIp);
+                request.Headers.TryAddWithoutValidation("X-Real-IP", clientIp);
+            }
+        }
+        
         bool authHeaderAdded = false;
         
         // Forward authentication headers from client (case-insensitive)