TrustedProxies: Add default IPv6 support and refactor (#2967)
This commit is contained in:
Notealot
GitHub
52
context.go
52
context.go
@ -757,10 +757,14 @@ func (c *Context) ClientIP() string {
|
||||
}
|
||||
}
|
||||
|
||||
remoteIP, trusted := c.RemoteIP()
|
||||
// It also checks if the remoteIP is a trusted proxy or not.
|
||||
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
|
||||
// defined by Engine.SetTrustedProxies()
|
||||
remoteIP := net.ParseIP(c.RemoteIP())
|
||||
if remoteIP == nil {
|
||||
return ""
|
||||
}
|
||||
trusted := c.engine.isTrustedProxy(remoteIP)
|
||||
|
||||
if trusted && c.engine.ForwardedByClientIP && c.engine.RemoteIPHeaders != nil {
|
||||
for _, headerName := range c.engine.RemoteIPHeaders {
|
||||
@ -773,53 +777,13 @@ func (c *Context) ClientIP() string {
|
||||
return remoteIP.String()
|
||||
}
|
||||
|
||||
func (e *Engine) isTrustedProxy(ip net.IP) bool {
|
||||
if e.trustedCIDRs != nil {
|
||||
for _, cidr := range e.trustedCIDRs {
|
||||
if cidr.Contains(ip) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// RemoteIP parses the IP from Request.RemoteAddr, normalizes and returns the IP (without the port).
|
||||
// It also checks if the remoteIP is a trusted proxy or not.
|
||||
// In order to perform this validation, it will see if the IP is contained within at least one of the CIDR blocks
|
||||
// defined by Engine.SetTrustedProxies()
|
||||
func (c *Context) RemoteIP() (net.IP, bool) {
|
||||
func (c *Context) RemoteIP() string {
|
||||
ip, _, err := net.SplitHostPort(strings.TrimSpace(c.Request.RemoteAddr))
|
||||
if err != nil {
|
||||
return nil, false
|
||||
return ""
|
||||
}
|
||||
remoteIP := net.ParseIP(ip)
|
||||
if remoteIP == nil {
|
||||
return nil, false
|
||||
}
|
||||
|
||||
return remoteIP, c.engine.isTrustedProxy(remoteIP)
|
||||
}
|
||||
|
||||
func (e *Engine) validateHeader(header string) (clientIP string, valid bool) {
|
||||
if header == "" {
|
||||
return "", false
|
||||
}
|
||||
items := strings.Split(header, ",")
|
||||
for i := len(items) - 1; i >= 0; i-- {
|
||||
ipStr := strings.TrimSpace(items[i])
|
||||
ip := net.ParseIP(ipStr)
|
||||
if ip == nil {
|
||||
return "", false
|
||||
}
|
||||
|
||||
// X-Forwarded-For is appended by proxy
|
||||
// Check IPs in reverse order and stop when find untrusted proxy
|
||||
if (i == 0) || (!e.isTrustedProxy(ip)) {
|
||||
return ipStr, true
|
||||
}
|
||||
}
|
||||
return
|
||||
return ip
|
||||
}
|
||||
|
||||
// ContentType returns the Content-Type header of the request.
|
||||
|
||||
Reference in New Issue
Block a user