-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Real IP logic #2550
Fix Real IP logic #2550
Conversation
Hello. |
Is cause by #1834 |
Maybe something like that would be better In case // ExtractIPFromRealIPHeader extracts IP address using X-Real-Ip header only when we trust Request.RemoteAddr IP.
// Use this if you put proxy which uses this header.
func ExtractIPFromRealIPHeader(options ...TrustOption) IPExtractor {
checker := newIPChecker(options)
return func(req *http.Request) string {
directIP := extractIP(req)
realIP := req.Header.Get(HeaderXRealIP)
if realIP != "" {
if dIP := net.ParseIP(directIP); dIP != nil && checker.trust(dIP) {
realIP = strings.TrimPrefix(realIP, "[")
realIP = strings.TrimSuffix(realIP, "]")
if rIP := net.ParseIP(realIP); rIP != nil {
return realIP
}
}
}
return directIP
}
} p.s. Do not forget to make |
Hello, thanks. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2550 +/- ##
=======================================
Coverage 92.89% 92.90%
=======================================
Files 39 39
Lines 4658 4662 +4
=======================================
+ Hits 4327 4331 +4
Misses 240 240
Partials 91 91 ☔ View full report in Codecov by Sentry. |
@aldas is there any chance to get this changes merged? |
alright, done. I look this issue couple weeks ago but did not want to merge because I did not remember how this IP worked. Fortunately we have fairly good explanations at the beggining of ip.go. I do not want to merge stuff that I do not remember how it should work. |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `v4.11.4` -> `v4.12.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2flabstack%2fecho%2fv4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2flabstack%2fecho%2fv4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2flabstack%2fecho%2fv4/v4.11.4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2flabstack%2fecho%2fv4/v4.11.4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v4.12.0`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v4120---2024-04-15) [Compare Source](https://github.com/labstack/echo/compare/v4.11.4...v4.12.0) **Security** - Update golang.org/x/net dep because of [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2625](https://github.com/labstack/echo/pull/2625) **Enhancements** - binder: make binding to Map work better with string destinations by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2554](https://github.com/labstack/echo/pull/2554) - README.md: add Encore as sponsor by [@​marcuskohlberg](https://github.com/marcuskohlberg) in [https://github.com/labstack/echo/pull/2579](https://github.com/labstack/echo/pull/2579) - Reorder paragraphs in README.md by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2581](https://github.com/labstack/echo/pull/2581) - CI: upgrade actions/checkout to v4 by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2584](https://github.com/labstack/echo/pull/2584) - Remove default charset from 'application/json' Content-Type header by [@​doortts](https://github.com/doortts) in [https://github.com/labstack/echo/pull/2568](https://github.com/labstack/echo/pull/2568) - CI: Use Go 1.22 by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2588](https://github.com/labstack/echo/pull/2588) - binder: allow binding to a nil map by [@​georgmu](https://github.com/georgmu) in [https://github.com/labstack/echo/pull/2574](https://github.com/labstack/echo/pull/2574) - Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by [@​RyoKusnadi](https://github.com/RyoKusnadi) in [https://github.com/labstack/echo/pull/2461](https://github.com/labstack/echo/pull/2461) - fix some typos by [@​teslaedison](https://github.com/teslaedison) in [https://github.com/labstack/echo/pull/2603](https://github.com/labstack/echo/pull/2603) - fix: some typos by [@​pomadev](https://github.com/pomadev) in [https://github.com/labstack/echo/pull/2596](https://github.com/labstack/echo/pull/2596) - Allow ResponseWriters to unwrap writers when flushing/hijacking by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2595](https://github.com/labstack/echo/pull/2595) - Add SPDX licence comments to files. by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2604](https://github.com/labstack/echo/pull/2604) - Upgrade deps by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2605](https://github.com/labstack/echo/pull/2605) - Change type definition blocks to single declarations. This helps copy… by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2606](https://github.com/labstack/echo/pull/2606) - Fix Real IP logic by [@​cl-bvl](https://github.com/cl-bvl) in [https://github.com/labstack/echo/pull/2550](https://github.com/labstack/echo/pull/2550) - Default binder can use `UnmarshalParams(params []string) error` inter… by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2607](https://github.com/labstack/echo/pull/2607) - Default binder can bind pointer to slice as struct field. For example `*[]string` by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2608](https://github.com/labstack/echo/pull/2608) - Remove maxparam dependence from Context by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2611](https://github.com/labstack/echo/pull/2611) - When route is registered with empty path it is normalized to `/`. by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2616](https://github.com/labstack/echo/pull/2616) - proxy middleware should use httputil.ReverseProxy for SSE requests by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2624](https://github.com/labstack/echo/pull/2624) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/cozy/cozy-stack). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMTMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjMxMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `v4.11.4` -> `v4.12.0` | [![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2flabstack%2fecho%2fv4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/go/github.com%2flabstack%2fecho%2fv4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/go/github.com%2flabstack%2fecho%2fv4/v4.11.4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2flabstack%2fecho%2fv4/v4.11.4/v4.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v4.12.0`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v4120---2024-04-15) [Compare Source](https://github.com/labstack/echo/compare/v4.11.4...v4.12.0) **Security** - Update golang.org/x/net dep because of [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2625](https://github.com/labstack/echo/pull/2625) **Enhancements** - binder: make binding to Map work better with string destinations by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2554](https://github.com/labstack/echo/pull/2554) - README.md: add Encore as sponsor by [@​marcuskohlberg](https://github.com/marcuskohlberg) in [https://github.com/labstack/echo/pull/2579](https://github.com/labstack/echo/pull/2579) - Reorder paragraphs in README.md by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2581](https://github.com/labstack/echo/pull/2581) - CI: upgrade actions/checkout to v4 by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2584](https://github.com/labstack/echo/pull/2584) - Remove default charset from 'application/json' Content-Type header by [@​doortts](https://github.com/doortts) in [https://github.com/labstack/echo/pull/2568](https://github.com/labstack/echo/pull/2568) - CI: Use Go 1.22 by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2588](https://github.com/labstack/echo/pull/2588) - binder: allow binding to a nil map by [@​georgmu](https://github.com/georgmu) in [https://github.com/labstack/echo/pull/2574](https://github.com/labstack/echo/pull/2574) - Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by [@​RyoKusnadi](https://github.com/RyoKusnadi) in [https://github.com/labstack/echo/pull/2461](https://github.com/labstack/echo/pull/2461) - fix some typos by [@​teslaedison](https://github.com/teslaedison) in [https://github.com/labstack/echo/pull/2603](https://github.com/labstack/echo/pull/2603) - fix: some typos by [@​pomadev](https://github.com/pomadev) in [https://github.com/labstack/echo/pull/2596](https://github.com/labstack/echo/pull/2596) - Allow ResponseWriters to unwrap writers when flushing/hijacking by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2595](https://github.com/labstack/echo/pull/2595) - Add SPDX licence comments to files. by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2604](https://github.com/labstack/echo/pull/2604) - Upgrade deps by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2605](https://github.com/labstack/echo/pull/2605) - Change type definition blocks to single declarations. This helps copy… by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2606](https://github.com/labstack/echo/pull/2606) - Fix Real IP logic by [@​cl-bvl](https://github.com/cl-bvl) in [https://github.com/labstack/echo/pull/2550](https://github.com/labstack/echo/pull/2550) - Default binder can use `UnmarshalParams(params []string) error` inter… by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2607](https://github.com/labstack/echo/pull/2607) - Default binder can bind pointer to slice as struct field. For example `*[]string` by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2608](https://github.com/labstack/echo/pull/2608) - Remove maxparam dependence from Context by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2611](https://github.com/labstack/echo/pull/2611) - When route is registered with empty path it is normalized to `/`. by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2616](https://github.com/labstack/echo/pull/2616) - proxy middleware should use httputil.ReverseProxy for SSE requests by [@​aldas](https://github.com/aldas) in [https://github.com/labstack/echo/pull/2624](https://github.com/labstack/echo/pull/2624) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/infratographer/x). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yOTMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQzOC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Signed-off-by: Mike Mason <mimason@equinix.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Mike Mason <mimason@equinix.com>
Hello.
This fix for realIP logic.
We should check for trusting not real IP, but RemoteIP, who sends the request.
For example, we have a client - 1.1.1.1 and LB - 8.8.8.8.
LB are trusting, all requests sended by it have X-Real-Ip header with client IP and we should extract it from headers.
We should not extract RealIP from requests sended from another hosts (not our LB).
Current implementation checking client IP for trusting, but it's incorrect.