You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For ExtractIPFromRealIPHeader, currently, the default behaviour is to only capture IP in x-real-ip only if it is trusted (for the default setting, this is only the address in private net / loopback etc. (when you use it as e.IPExtractor = ExtractIPFromRealIPHeader())
However, this is usually not the usage for ExtractIPFromRealIPHeader, as often the ingress in front will correctly set/resolve the correct client IP address to X-Real-IP, and thus one would want to use ExtractIPFromRealIPHeader to extract address regardless of it is trusted or not.
Comparing to the case in ExtractIPFromXFFHeader where it extracts the rightmost untrusted IP, it seems weird that ExtractIPFromRealIPHeader only extracts IP that is trusted (and fallback to network address, which will be some ingress address if there is one). In these two cases "trusted" address seems to have different meaning (in ExtractIPFromXFFHeader its the proxy addresses that are trusted, in ExtractIPFromRealIPHeader it is the address that is trusted to be used) at all and it's very confusing.
Issue Description
For
ExtractIPFromRealIPHeader
, currently, the default behaviour is to only capture IP inx-real-ip
only if it is trusted (for the default setting, this is only the address in private net / loopback etc. (when you use it ase.IPExtractor = ExtractIPFromRealIPHeader()
)However, this is usually not the usage for
ExtractIPFromRealIPHeader
, as often the ingress in front will correctly set/resolve the correct client IP address toX-Real-IP
, and thus one would want to useExtractIPFromRealIPHeader
to extract address regardless of it is trusted or not.So now one will use it as follows:
Comparing to the case in
ExtractIPFromXFFHeader
where it extracts the rightmost untrusted IP, it seems weird thatExtractIPFromRealIPHeader
only extracts IP that is trusted (and fallback to network address, which will be some ingress address if there is one). In these two cases "trusted" address seems to have different meaning (inExtractIPFromXFFHeader
its the proxy addresses that are trusted, inExtractIPFromRealIPHeader
it is the address that is trusted to be used) at all and it's very confusing.echo/ip.go
Lines 223 to 236 in ec92fed
Checklist
Expected behaviour
ExtractIPFromRealIPHeader
captures value in X-Real-IP by default, without the "trusted" checkActual behaviour
ExtractIPFromRealIPHeader
only captures if X-Real-IP contains "trusted" addressSteps to reproduce
Version/commit
4.7.2
The text was updated successfully, but these errors were encountered: