Expand description

Extractor for trustworthy client IP addresses when proxied through Cloudflare.

When traffic to your web server is proxied through Cloudflare, it is tagged with headers containing the original client’s IP address. See the Cloudflare documentation for info on configuring your proxy settings. However, these headers can be spoofed by clients if your origin server is exposed to the internet.

The goal of this crate is to provide a simple extractor for clients’ IP addresses whilst ensuring their integrity. To achieve this, it is necessary to build a list of trusted peers which are guaranteed to provide (e.g., Cloudflare) or pass-though (e.g., local load-balancers) the headers accurately.

Cloudflare’s trustworthy IP ranges sometimes change, so this crate also provides a utility for obtaining them from Cloudflare’s API (fetch_trusted_cf_ips()). If your origin server’s direct peer is Cloudflare, this list will be sufficient to establish the trust chain. However, if your setup includes load balancers or reverse proxies then you’ll need to add their IP ranges to the trusted set for the TrustedClientIp extractor to work as expected.

Typical Usage

  1. Add an instance of TrustedIps to your app data. It is recommended to construct your trusted IP set using fetch_trusted_cf_ips() and add any further trusted ranges to that.
  2. Use the TrustedClientIp extractor in your handlers.

Example

use actix_client_ip_cloudflare::{fetch_trusted_cf_ips, TrustedClientIp};

let cloudflare_ips = fetch_trusted_cf_ips()
    .await
    .unwrap()
    .add_loopback_ips();

HttpServer::new(move || {
    App::new()
        .app_data(cloudflare_ips.clone())
        .service(handler)
});

#[get("/")]
async fn handler(client_ip: TrustedClientIp) -> String {
    client_ip.to_string()
}

Crate Features

fetch-ips (default): Enables functionality to (asynchronously) fetch Cloudflare’s trusted IP list from their API. This feature includes rustls but if you prefer OpenSSL you can use it by disabling default crate features and enabling fetch-ips-openssl instead.

Structs

  • Extractor for a client IP that has passed through Cloudflare and is verified as not spoofed.
  • Trusted IP ranges.

Enums

  • Header containing client’s IPv4 address when server is behind Cloudflare.
  • Header containing client’s IPv6 address when server is behind Cloudflare.

Constants

Functions