real_ip/
lib.rs

1//! Get the "real-ip" of an incoming request.
2//!
3//! This uses the "forwarded", "x-forwarded-for" or "x-real-ip" headers set by reverse proxies.
4//!
5//! ## Trusted proxies
6//!
7//! To stop clients from being able to spoof the remote ip, you are required to configure the trusted proxies
8//! which are allowed to set the forwarded headers.
9//!
10//! Trusted proxies are configured as a list of [`IpNet`]s, which can be a single ip or an ip range.
11//!
12//! Note that if multiple forwarded-for addresses are present, which can be the case when using nested reverse proxies,
13//! all proxies in the chain have to be within the list of trusted proxies.
14//!
15//! ## Examples
16//!
17//! A request originating from 192.0.2.1, being proxied through 10.10.10.10 and 10.0.0.1 before reaching our program
18//!
19//! ```
20//! # use http::Request;
21//! # use std::net::IpAddr;
22//! # use real_ip::{real_ip, IpNet};
23//! #
24//! // in a real program this info would of course come from the http server
25//! let incoming_ip = IpAddr::from([10, 0, 0, 1]);
26//! let request = Request::builder().header("x-forwarded-for", "192.0.2.1, 10.10.10.10").body(()).unwrap();
27//!
28//! // the reverse-proxies in our network that we trust
29//! let trusted_proxies = [
30//!     IpAddr::from([10, 0, 0, 1]).into(),
31//!     IpNet::new_assert(IpAddr::from([10, 10, 10, 0]), 24), // 10.10.10.0/24
32//! ];
33//! let client_ip = real_ip(request.headers(), incoming_ip, &trusted_proxies);
34//! assert_eq!(Some(IpAddr::from([192, 0, 2, 1])), client_ip);
35//! ```
36//!
37//! A request originating from 192.0.2.1, being proxied through 203.0.113.10 and 10.0.0.1 before reaching our program.
38//! But 203.0.113.10 is not a trusted proxy, so we don't accept anything it added to the forwarded headers
39//!
40//! ```
41//! # use http::Request;
42//! # use std::net::IpAddr;
43//! # use real_ip::{real_ip, IpNet};
44//! #
45//! let incoming_ip = IpAddr::from([10, 0, 0, 1]);
46//! let request = Request::builder().header("forwarded", "for=192.0.2.1, for=203.0.113.10;proto=https").body(()).unwrap();
47//!
48//! let trusted_proxies = [
49//!     IpAddr::from([10, 0, 0, 1]).into(),
50//!     IpNet::new_assert(IpAddr::from([10, 10, 10, 0]), 24),
51//! ];
52//! let client_ip = real_ip(request.headers(), incoming_ip, &trusted_proxies);
53//! assert_eq!(Some(IpAddr::from([203, 0, 113, 10])), client_ip);
54//! ```
55
56pub mod headers;
57
58use crate::headers::{
59    extract_forwarded_header, extract_real_ip_header, extract_x_forwarded_for_header,
60};
61use either::Either;
62use http::HeaderMap;
63pub use ipnet::IpNet;
64use std::iter::{empty, once};
65use std::net::IpAddr;
66
67/// Get the "real-ip" of an incoming request.
68///
69/// See the [top level documentation](crate) for more usage details.
70pub fn real_ip(headers: &HeaderMap, remote: IpAddr, trusted_proxies: &[IpNet]) -> Option<IpAddr> {
71    let mut hops = get_forwarded_for(headers).chain(once(remote));
72    let first = hops.next();
73    let hops = first.iter().copied().chain(hops);
74
75    'outer: for hop in hops.rev() {
76        for proxy in trusted_proxies {
77            dbg!(proxy);
78            if proxy.contains(&hop) {
79                continue 'outer;
80            }
81        }
82        return Some(hop);
83    }
84
85    // all hops were trusted, return the first one
86    first
87}
88
89/// Extracts the ip addresses from the "forwarded for" chain from a request
90///
91/// Note that this doesn't perform any validation against clients forging the headers
92pub fn get_forwarded_for(headers: &HeaderMap) -> impl DoubleEndedIterator<Item = IpAddr> + '_ {
93    if let Some(header) = headers.get("forwarded") {
94        let header = header.to_str().unwrap_or_default();
95        return Either::Left(Either::Left(extract_forwarded_header(header)));
96    }
97
98    if let Some(header) = headers.get("x-forwarded-for") {
99        let header = header.to_str().unwrap_or_default();
100        return Either::Left(Either::Right(extract_x_forwarded_for_header(header)));
101    }
102
103    if let Some(header) = headers.get("x-real-ip") {
104        let header = header.to_str().unwrap_or_default();
105        return Either::Right(Either::Left(extract_real_ip_header(header)));
106    }
107
108    Either::Right(Either::Right(empty()))
109}
110
111#[allow(dead_code)]
112#[doc = include_str!("../README.md")]
113fn test_readme_examples() {}
114
115#[test]
116fn test_malformed() {
117    use http::header::HeaderValue;
118    let mut headers = HeaderMap::new();
119    headers.insert(
120        "forwarded",
121        HeaderValue::from_static(
122            "by=203.0.111.42;for=1.2.3.4:8888,for=5.6.7.8;proto=https;nonsense",
123        ),
124    );
125    let trusted_proxies = [
126        IpAddr::from([2, 3, 4, 5]).into(),
127        IpAddr::from([5, 6, 7, 8]).into(),
128    ];
129    let remote = IpAddr::from([2, 3, 4, 5]);
130    assert!(get_forwarded_for(&headers).next().is_none());
131    assert_eq!(
132        Some(IpAddr::from([2, 3, 4, 5])),
133        real_ip(&headers, remote, &trusted_proxies)
134    );
135}