Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

taken account of X-Forwarded-For header #88

Closed
komuw opened this issue Jul 9, 2022 · 5 comments · Fixed by #187
Closed

taken account of X-Forwarded-For header #88

komuw opened this issue Jul 9, 2022 · 5 comments · Fixed by #187

Comments

@komuw
Copy link
Owner

komuw commented Jul 9, 2022

everywhere we are using request.RemoteAddr[1]; we should first check if X-Forwarded-For[2] exists and use that instead. Then fall back to request.RemoteAddr.
See[3] for how golang/pkgsite does it. Also how they do ratelimiting is interesting[4]

  1. https://github.com/komuw/ong/search?l=Go&q=RemoteAddr&type=
  2. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
  3. https://github.com/golang/pkgsite/blob/8b9886cdffa22a4f43206ac784fa1646fd0b6da6/internal/middleware/quota.go#L89-L94
  4. https://github.com/golang/pkgsite/blob/8b9886cdffa22a4f43206ac784fa1646fd0b6da6/internal/middleware/quota.go#L50-L70
@komuw
Copy link
Owner Author

komuw commented Jul 10, 2022
edited
Loading

There's also the Forwarded[1] header which is standardized and is supposed to be a replacement of X-Forwarded-For .
The good thing about it is that, your trusted front-end proxy could include a secret token[2] to identify itself.
Forwarded: for=12.34.56.78, for=23.45.67.89;secret=egah2CGj55fSJFs, for=10.1.2.3

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
  2. https://www.nginx.com/resources/wiki/start/topics/examples/forwarded/

@komuw
Copy link
Owner Author

komuw commented Jul 10, 2022

We are not going to take X-Forwarded-For or Forwarded into account for now. This is because those headers can easily be spoofed among other problems. See[1] which deals with this comprehensively.

  1. https://adam-p.ca/blog/2022/03/x-forwarded-for/

@komuw komuw closed this as completed Sep 27, 2022
@komuw
Copy link
Owner Author

komuw commented Dec 7, 2022

@komuw komuw reopened this Dec 7, 2022
@komuw
Copy link
Owner Author

komuw commented Dec 7, 2022

Another algo for selecting IP: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#selecting_an_ip_address

@komuw
Copy link
Owner Author

komuw commented Dec 7, 2022

https://github.com/realclientip/realclientip-go written by the person who wrote https://adam-p.ca/blog/2022/03/x-forwarded-for/

@komuw komuw mentioned this issue Dec 8, 2022
Merged
komuw added a commit that referenced this issue Dec 11, 2022
@komuw
issues/88: create middleware that adds the real client IP address (#187)
2bd9f43 
What:
- Create middleware that adds the real client IP address
  Note that this is on a best effort basis. Finding the true client IP address is a precarious process[1]

Why:
- Fixes: #88

Ref:
1. https://adam-p.ca/blog/2022/03/x-forwarded-for/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

issues/88: create middleware that adds the real client IP address komuw/ong
1 participant
@komuw