From ab69985fccb3206300c761cf1792258e53f82749 Mon Sep 17 00:00:00 2001
From: Meow <197331664+Meo597@users.noreply.github.com>
Date: Sat, 23 May 2026 21:50:01 +0800
Subject: [PATCH] Config: Warn when `sockopt.trustedXForwardedFor` is not set
 for XHTTP/WS/HU inbounds (#6159)

https://github.com/XTLS/Xray-core/pull/6110#issuecomment-4470157219

Usage: https://github.com/XTLS/Xray-core/pull/5331#issue-3655317949
---
 infra/conf/xray.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/infra/conf/xray.go b/infra/conf/xray.go
index d01dac2b..a077af5e 100644
--- a/infra/conf/xray.go
+++ b/infra/conf/xray.go
@@ -173,6 +173,26 @@ func (c *InboundDetourConfig) Build() (*core.InboundHandlerConfig, error) {
 			return nil, err
 		}
 		receiverSettings.StreamSettings = ss
+		// TODO: Actually implement this breaking change
+		protocol := ss.GetEffectiveProtocol()
+		if (protocol == "websocket" || protocol == "httpupgrade" || protocol == "splithttp") &&
+			(c.StreamSetting.SocketSettings == nil || len(c.StreamSetting.SocketSettings.TrustedXForwardedFor) == 0) {
+			errors.LogWarning(context.Background(),
+				`====== SECURITY WARNING ======`,
+				"\n",
+				`inbound "`, c.Tag, `" using `, protocol, ` has not configured "sockopt.trustedXForwardedFor".`,
+				"\n",
+				`THIS IS VERY INSECURE!!!`,
+				"\n",
+				`For compatibility, Xray still allows this for now and still trusts X-Forwarded-For implicitly.`,
+				"\n",
+				`Please configure "sockopt.trustedXForwardedFor" immediately.`,
+				"\n",
+				`In future versions, this option must be explicitly set.`,
+				"\n",
+				`====== SECURITY WARNING ======`,
+			)
+		}
 		if strings.Contains(ss.SecurityType, "reality") && (receiverSettings.PortList == nil ||
 			len(receiverSettings.PortList.Ports()) != 1 || receiverSettings.PortList.Ports()[0] != 443) {
 			errors.LogWarning(context.Background(), `REALITY: Listening on non-443 ports may get your IP blocked by the GFW`)