Don't accept any IP as a proxy by default

It's too easy to setup a reverse proxy which doesn't support the PROXY
protocol, or lets the X-Forwarded-For header fields pass through.
Disable this by default.

To restore the previous behaviour, add `accept-proxy-ip localhost` to
the config file.

config/config.go

@@ -55,7 +55,6 @@ func Defaults() *Server {
 		Hostname:  hostname,
 		SQLDriver: "sqlite3",
 		SQLSource: "soju.db",
-		AcceptProxyIPs: loopbackIPs,
 	}
 }
 
@@ -100,6 +99,10 @@ func parse(cfg scfg.Block) (*Server, error) {
 		case "accept-proxy-ip":
 			srv.AcceptProxyIPs = nil
 			for _, s := range d.Params {
+				if s == "localhost" {
+					srv.AcceptProxyIPs = append(srv.AcceptProxyIPs, loopbackIPs...)
+					continue
+				}
 				_, n, err := net.ParseCIDR(s)
 				if err != nil {
 					return nil, fmt.Errorf("directive %q: failed to parse CIDR: %v", d.Name, err)

doc/soju.1.scd

@@ -114,8 +114,8 @@ The following directives are supported:
 *accept-proxy-ip* <cidr...>
 	Allow the specified IPs to act as a proxy. Proxys have the ability to
 	overwrite the remote and local connection addresses (via the X-Forwarded-\*
-	HTTP header fields). By default, the loopback addresses 127.0.0.0/8 and
+	HTTP header fields). The special name "localhost" accepts the loopback
-	::1/128 are accepted.
+	addresses 127.0.0.0/8 and ::1/128. By default, all IPs are rejected.
 
 # IRC SERVICE