Crate real_ip

Source
Expand description

Get the “real-ip” of an incoming request.

This uses the “forwarded”, “x-forwarded-for” or “x-real-ip” headers set by reverse proxies.

§Trusted proxies

To stop clients from being able to spoof the remote ip, you are required to configure the trusted proxies which are allowed to set the forwarded headers.

Trusted proxies are configured as a list of IpNets, which can be a single ip or an ip range.

Note that if multiple forwarded-for addresses are present, which can be the case when using nested reverse proxies, all proxies in the chain have to be within the list of trusted proxies.

§Examples

A request originating from 192.0.2.1, being proxied through 10.10.10.10 and 10.0.0.1 before reaching our program

// in a real program this info would of course come from the http server
let incoming_ip = IpAddr::from([10, 0, 0, 1]);
let request = Request::builder().header("x-forwarded-for", "192.0.2.1, 10.10.10.10").body(()).unwrap();

// the reverse-proxies in our network that we trust
let trusted_proxies = [
    IpAddr::from([10, 0, 0, 1]).into(),
    IpNet::new_assert(IpAddr::from([10, 10, 10, 0]), 24), // 10.10.10.0/24
];
let client_ip = real_ip(request.headers(), incoming_ip, &trusted_proxies);
assert_eq!(Some(IpAddr::from([192, 0, 2, 1])), client_ip);

A request originating from 192.0.2.1, being proxied through 203.0.113.10 and 10.0.0.1 before reaching our program. But 203.0.113.10 is not a trusted proxy, so we don’t accept anything it added to the forwarded headers

let incoming_ip = IpAddr::from([10, 0, 0, 1]);
let request = Request::builder().header("forwarded", "for=192.0.2.1, for=203.0.113.10;proto=https").body(()).unwrap();

let trusted_proxies = [
    IpAddr::from([10, 0, 0, 1]).into(),
    IpNet::new_assert(IpAddr::from([10, 10, 10, 0]), 24),
];
let client_ip = real_ip(request.headers(), incoming_ip, &trusted_proxies);
assert_eq!(Some(IpAddr::from([203, 0, 113, 10])), client_ip);

Modules§

headers

Enums§

IpNet
An IP network address, either IPv4 or IPv6.

Functions§

get_forwarded_for
Extracts the ip addresses from the “forwarded for” chain from a request
real_ip
Get the “real-ip” of an incoming request.