Filter internal IP addresses from X-Forwarded-For header

[floatdrop]

Internal ip's (like 192.168.0.1) is not useful in any way for server, so we often filter internal networks from headers.

[pbojinov]

What if we exposed a flag that you can set, lets say ignoreInteral or ignoreLocal and if its true, then we return null when it's a internal ip such as 192.168.0.1.

Also thoughts on getting a cohesive list of internal ips?

[floatdrop]

@pbojinov yeah, sounds nice. We used netmask for a while, until IPv6 came into play. I think ip is good candidate for this task.

[pbojinov]

@floatdrop in this case, will using ip.isPrivate('127.0.0.1') // true from ip work out ok?

Do you have any example headers we can use for the tests? Want to make sure we're using real live data to cover these test cases.

[pbojinov]

What about thoughts on naming for the flag: ignorePrivate, ignoreLocal, ignoreInternal?

[floatdrop]

@pbojinov we have only tests for filtering ipv4 adresses (all of them from private networks), but no actual headers.

What about thoughts on naming for the flag: ignorePrivate, ignoreLocal, ignoreInternal?

I think ignorePrivate is good choice, because of ip.isPrivate method.

[pbojinov]

Sounds good, I'll add this in. Thanks!

[fluxsauce]

There's an existing dependency on is.js, maybe add it upstream?

[pbojinov]

@fluxsauce the dependency is in the package.json. Am I missing something else?

  "dependencies": {
    "is_js": "^0.9.0"
  }

It should install from npm. I'm seeing this when I run a fresh install:

> npm install request-ip
test@1.1.0 /Users/petar/test
└─┬ request-ip@2.0.1
  └── is_js@0.9.0

[fluxsauce]

@pbojinov I meant add is.ipPrivate to is.js first, as it could be useful in some other places.

[Redmega]

Any update on this?

[pbojinov]

@Redmega yes it's in progress. I'll have something out soon.

[Redmega]

Awesome to hear. I'm doing a geoip check on an aws box and its grabbing the IP of the box itself. It's hard to tell without intense console logging if its due to incorrectly set headers or the request-ip package itself. It isn't a high priority issue for us so I've left it alone for now, looking forward to the release 👍

[maximium]

then we return null when it's a internal ip such as 192.168.0.1

Probably a better way is to return the first not private ip from x-forwarded-for header instead of null
eg. 195.189.143.147 for X-Forwarded-For: 127.0.0.1, 192.168.0.100, 195.189.143.147, 130.236.236.80

[evdama]

what's the status on this?