Crate actix_client_ip_cloudflare

Extractor for trustworthy client IP addresses when proxied through Cloudflare.

When traffic to your web server is proxied through Cloudflare, it is tagged with headers containing the original client’s IP address. See the Cloudflare documentation for info on configuring your proxy settings. However, these headers can be spoofed by clients if your origin server is exposed to the internet.

The goal of this crate is to provide a simple extractor for clients’ IP addresses whilst ensuring their integrity. To achieve this, it is necessary to build a list of trusted peers which are guaranteed to provide (e.g., Cloudflare) or pass-though (e.g., local load-balancers) the headers accurately.

Cloudflare’s trustworthy IP ranges sometimes change, so this crate also provides a utility for obtaining them from Cloudflare’s API (fetch_trusted_cf_ips()). If your origin server’s direct peer is Cloudflare, this list will be sufficient to establish the trust chain. However, if your setup includes load balancers or reverse proxies then you’ll need to add their IP ranges to the trusted set for the TrustedClientIp extractor to work as expected.

Typical Usage

1. Add an instance of TrustedIps to your app data. It is recommended to construct your trusted IP set using fetch_trusted_cf_ips() and add any further trusted ranges to that.
2. Use the TrustedClientIp extractor in your handlers.

Example

use actix_client_ip_cloudflare::{fetch_trusted_cf_ips, TrustedClientIp};

let cloudflare_ips = fetch_trusted_cf_ips()
    .await
    .unwrap()
    .add_loopback_ips();

HttpServer::new(move || {
    App::new()
        .app_data(cloudflare_ips.clone())
        .service(handler)
});

#[get("/")]
async fn handler(client_ip: TrustedClientIp) -> String {
    client_ip.to_string()
}

Crate Features

fetch-ips (default): Enables functionality to (asynchronously) fetch Cloudflare’s trusted IP list from their API. This feature includes rustls but if you prefer OpenSSL you can use it by disabling default crate features and enabling fetch-ips-openssl instead.

Structs

• TrustedClientIp
  Extractor for a client IP that has passed through Cloudflare and is verified as not spoofed.
• TrustedIps
  Trusted IP ranges.

Enums

• CfConnectingIp
  Header containing client’s IPv4 address when server is behind Cloudflare.
• CfConnectingIpv6
  Header containing client’s IPv6 address when server is behind Cloudflare.

Constants

• CF_CONNECTING_IP
  Cloudflare’s cf-connecting-ip header name.
• CF_CONNECTING_IPV6
  Cloudflare’s cf-connecting-ipv6 header name.
• CF_URL_IPS
  URL for Cloudflare’s canonical list of IP ranges.

Functions

• fetch_trusted_cf_ipsfetch-ips
  Fetched trusted Cloudflare IP addresses from their API.