Using absolute rightmost doesn't work for many network configurations

[adam-p]

The code right now chooses the rightmost X-Forwarded-For or Forwarded value. This only works if there is only one reverse proxy.

Instead, AllowedNets could be used to check from the rightmost for the first (from the right) IP that is not in the AllowedNets ranges. This would allow for any number of trusted reverse proxies between the internet and the server using this library.

If you do change to searching from the right, make sure to include all matching headers rather than just the last one. Otherwise you might search through the whole last header without finding what you want, and miss other headers.

More details here: https://adam-p.ca/blog/2022/03/x-forwarded-for/#algorithms

(I applaud you for using a rightmost approach rather than leftmost. This library is better than the vast majority of similar libraries that I looked at.)

[stanvit]

Hi @adam-p, thanks for your kind words :)

You use case is absolutely valid - and now I'm wondering why I didn't think of it at the time of writing.

Unfortunately, as you can see, this library is quite old and wasn't touched for seven years now. I'm not actively developing with Go at the moment and quite reluctant to change anything is a library that I'm not using. Any change in logic would require version change (i.e. introducing of v2 of the library) as it's may be used in some other projects. Also I looked at the code and don't see any elegant way to change its logic. All these issues would not be critical if I had time, but I don't currently, sorry.