From 0295041cda954da03d282cbc2af4e38c659870a2 Mon Sep 17 00:00:00 2001
From: Matteo Mekhail <67237370+matteoiscrying@users.noreply.github.com>
Date: Mon, 23 Feb 2026 13:10:25 +1100
Subject: [PATCH 1/2] add support for railway internal proxy

---
 server.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server.ts b/server.ts
index ada80a1..0e74f45 100644
--- a/server.ts
+++ b/server.ts
@@ -109,6 +109,11 @@ function isPrivateIp(ip: string): boolean {
   if (v4 === "127.0.0.1" || ip === "::1") return true;
   if (v4.startsWith("10.")) return true;
   if (v4.startsWith("192.168.")) return true;
+  // CGNAT range (RFC 6598) — used by Railway's internal proxy
+  if (v4.startsWith("100.")) {
+    const second = parseInt(v4.split(".")[1] ?? "", 10);
+    if (second >= 64 && second <= 127) return true;
+  }
   if (ip.startsWith("fc") || ip.startsWith("fd")) return true;
   if (v4.startsWith("172.")) {
     const second = parseInt(v4.split(".")[1] ?? "", 10);

From 8489927b67ae8a8f328290f66a042a68d02d170f Mon Sep 17 00:00:00 2001
From: Matteo Mekhail <67237370+matteoiscrying@users.noreply.github.com>
Date: Mon, 23 Feb 2026 13:12:42 +1100
Subject: [PATCH 2/2] normalize socket IP format

---
 server.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/server.ts b/server.ts
index 0e74f45..70f0440 100644
--- a/server.ts
+++ b/server.ts
@@ -132,11 +132,13 @@ function getClientIp(req: Request, server: Bun.Server<WsData>): string {
     const xff = req.headers.get("x-forwarded-for");
     if (xff) {
       const rightmost = xff.split(",").at(-1)?.trim();
-      if (rightmost) return rightmost;
+      if (rightmost && !isPrivateIp(rightmost)) {
+        return rightmost.startsWith("::ffff:") ? rightmost.slice(7) : rightmost;
+      }
     }
   }
 
-  return socketIp;
+  return socketIp.startsWith("::ffff:") ? socketIp.slice(7) : socketIp;
 }
 
 function isRateLimited(key: string, limit: number, windowMs: number): boolean {