Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Confusing default behaviour of ExtractIPFromRealIPHeader #2226

Open
3 tasks done
harrier-lcc opened this issue Jul 20, 2022 · 1 comment
Open
3 tasks done

Confusing default behaviour of ExtractIPFromRealIPHeader #2226

harrier-lcc opened this issue Jul 20, 2022 · 1 comment

Comments

@harrier-lcc
Copy link

Issue Description

For ExtractIPFromRealIPHeader, currently, the default behaviour is to only capture IP in x-real-ip only if it is trusted (for the default setting, this is only the address in private net / loopback etc. (when you use it as e.IPExtractor = ExtractIPFromRealIPHeader())

However, this is usually not the usage for ExtractIPFromRealIPHeader, as often the ingress in front will correctly set/resolve the correct client IP address to X-Real-IP, and thus one would want to use ExtractIPFromRealIPHeader to extract address regardless of it is trusted or not.

So now one will use it as follows:

_, ipV4, _ := net.ParseCIDR("0.0.0.0/0")
_, ipV6, _ := net.ParseCIDR("0:0:0:0:0:0:0:0/0")
e.IPExtractor = echo.ExtractIPFromRealIPHeader(echo.TrustIPRange(ipV4), echo.TrustIPRange(ipV6))

Comparing to the case in ExtractIPFromXFFHeader where it extracts the rightmost untrusted IP, it seems weird that ExtractIPFromRealIPHeader only extracts IP that is trusted (and fallback to network address, which will be some ingress address if there is one). In these two cases "trusted" address seems to have different meaning (in ExtractIPFromXFFHeader its the proxy addresses that are trusted, in ExtractIPFromRealIPHeader it is the address that is trusted to be used) at all and it's very confusing.

echo/ip.go

Lines 223 to 236 in ec92fed

// ExtractIPFromRealIPHeader extracts IP address using x-real-ip header.
// Use this if you put proxy which uses this header.
func ExtractIPFromRealIPHeader(options ...TrustOption) IPExtractor {
checker := newIPChecker(options)
return func(req *http.Request) string {
realIP := req.Header.Get(HeaderXRealIP)
if realIP != "" {
if ip := net.ParseIP(realIP); ip != nil && checker.trust(ip) {
return realIP
}
}
return extractIP(req)
}
}

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Expected behaviour

ExtractIPFromRealIPHeader captures value in X-Real-IP by default, without the "trusted" check

Actual behaviour

ExtractIPFromRealIPHeader only captures if X-Real-IP contains "trusted" address

Steps to reproduce

Version/commit

4.7.2
@hyacinthus
Copy link
Contributor

Yes, I agree with this issue too much, it confused me for a long time and was too counter-intuitive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hyacinthus @harrier-lcc