| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 |
- package middleware
-
- // Ported from Goji's middleware, source:
- // https://github.com/zenazn/goji/tree/master/web/middleware
-
- import (
- "net/http"
- "strings"
- )
-
- var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
- var xRealIP = http.CanonicalHeaderKey("X-Real-IP")
-
- // RealIP is a middleware that sets a http.Request's RemoteAddr to the results
- // of parsing either the X-Real-IP header or the X-Forwarded-For header (in that
- // order).
- //
- // This middleware should be inserted fairly early in the middleware stack to
- // ensure that subsequent layers (e.g., request loggers) which examine the
- // RemoteAddr will see the intended value.
- //
- // You should only use this middleware if you can trust the headers passed to
- // you (in particular, the two headers this middleware uses), for example
- // because you have placed a reverse proxy like HAProxy or nginx in front of
- // chi. If your reverse proxies are configured to pass along arbitrary header
- // values from the client, or if you use this middleware without a reverse
- // proxy, malicious clients will be able to make you very sad (or, depending on
- // how you're using RemoteAddr, vulnerable to an attack of some sort).
- func RealIP(h http.Handler) http.Handler {
- fn := func(w http.ResponseWriter, r *http.Request) {
- if rip := realIP(r); rip != "" {
- r.RemoteAddr = rip
- }
- h.ServeHTTP(w, r)
- }
-
- return http.HandlerFunc(fn)
- }
-
- func realIP(r *http.Request) string {
- var ip string
-
- if xrip := r.Header.Get(xRealIP); xrip != "" {
- ip = xrip
- } else if xff := r.Header.Get(xForwardedFor); xff != "" {
- i := strings.Index(xff, ", ")
- if i == -1 {
- i = len(xff)
- }
- ip = xff[:i]
- }
-
- return ip
- }
|
