Fix Real IP logic #2550
Merged
Fix Real IP logic #2550
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hello. |
|
Is cause by #1834 |
|
Maybe something like that would be better In case // ExtractIPFromRealIPHeader extracts IP address using X-Real-Ip header only when we trust Request.RemoteAddr IP.
// Use this if you put proxy which uses this header.
func ExtractIPFromRealIPHeader(options ...TrustOption) IPExtractor {
checker := newIPChecker(options)
return func(req *http.Request) string {
directIP := extractIP(req)
realIP := req.Header.Get(HeaderXRealIP)
if realIP != "" {
if dIP := net.ParseIP(directIP); dIP != nil && checker.trust(dIP) {
realIP = strings.TrimPrefix(realIP, "[")
realIP = strings.TrimSuffix(realIP, "]")
if rIP := net.ParseIP(realIP); rIP != nil {
return realIP
}
}
}
return directIP
}
}p.s. Do not forget to make |
|
Hello, thanks. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2550 +/- ##
=======================================
Coverage 92.89% 92.90%
=======================================
Files 39 39
Lines 4658 4662 +4
=======================================
+ Hits 4327 4331 +4
Misses 240 240
Partials 91 91 ☔ View full report in Codecov by Sentry. |
|
@aldas is there any chance to get this changes merged? |
|
alright, done. I look this issue couple weeks ago but did not want to merge because I did not remember how this IP worked. Fortunately we have fairly good explanations at the beggining of ip.go. I do not want to merge stuff that I do not remember how it should work. |
nono
added a commit
to cozy/cozy-stack
that referenced
this pull request
Apr 22, 2024
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github.com/labstack/echo/v4](https://togithub.com/labstack/echo) | `v4.11.4` -> `v4.12.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v4.12.0`](https://togithub.com/labstack/echo/blob/HEAD/CHANGELOG.md#v4120---2024-04-15) [Compare Source](https://togithub.com/labstack/echo/compare/v4.11.4...v4.12.0) **Security** - Update golang.org/x/net dep because of [GO-2024-2687](https://pkg.go.dev/vuln/GO-2024-2687) by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2625 **Enhancements** - binder: make binding to Map work better with string destinations by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2554 - README.md: add Encore as sponsor by [@​marcuskohlberg](https://togithub.com/marcuskohlberg) in [labstack/echo#2579 - Reorder paragraphs in README.md by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2581 - CI: upgrade actions/checkout to v4 by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2584 - Remove default charset from 'application/json' Content-Type header by [@​doortts](https://togithub.com/doortts) in [labstack/echo#2568 - CI: Use Go 1.22 by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2588 - binder: allow binding to a nil map by [@​georgmu](https://togithub.com/georgmu) in [labstack/echo#2574 - Add Skipper Unit Test In BasicBasicAuthConfig and Add More Detail Explanation regarding BasicAuthValidator by [@​RyoKusnadi](https://togithub.com/RyoKusnadi) in [labstack/echo#2461 - fix some typos by [@​teslaedison](https://togithub.com/teslaedison) in [labstack/echo#2603 - fix: some typos by [@​pomadev](https://togithub.com/pomadev) in [labstack/echo#2596 - Allow ResponseWriters to unwrap writers when flushing/hijacking by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2595 - Add SPDX licence comments to files. by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2604 - Upgrade deps by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2605 - Change type definition blocks to single declarations. This helps copy… by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2606 - Fix Real IP logic by [@​cl-bvl](https://togithub.com/cl-bvl) in [labstack/echo#2550 - Default binder can use `UnmarshalParams(params []string) error` inter… by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2607 - Default binder can bind pointer to slice as struct field. For example `*[]string` by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2608 - Remove maxparam dependence from Context by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2611 - When route is registered with empty path it is normalized to `/`. by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2616 - proxy middleware should use httputil.ReverseProxy for SSE requests by [@​aldas](https://togithub.com/aldas) in [labstack/echo#2624 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/cozy/cozy-stack). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMTMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjMxMy4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello.
This fix for realIP logic.
We should check for trusting not real IP, but RemoteIP, who sends the request.
For example, we have a client - 1.1.1.1 and LB - 8.8.8.8.
LB are trusting, all requests sended by it have X-Real-Ip header with client IP and we should extract it from headers.
We should not extract RealIP from requests sended from another hosts (not our LB).
Current implementation checking client IP for trusting, but it's incorrect.