Expand description
Client-address resolution that does not blindly trust hop headers.
resolve_client_ip is the single helper every middleware that
cares about the originating client (rate-limiter, IP banlist,
bot-scoring, abuse heuristics) must use. The contract:
- If the immediate socket peer (
ConnectInfo<SocketAddr>) is not contained intrusted_proxies, return the peer address. Hop headers are ignored entirely — they are untrusted in this case. - If the peer is trusted, walk
X-Forwarded-Forright-to-left and take the first hop that is itself outsidetrusted_proxies. That hop is the closest entity our proxy chain still sees, and the earliest one a client could have spoofed. - If the chain is empty or every hop is trusted, fall back to the peer address.
X-Real-IP and CF-Connecting-IP are honoured only under rule 2’s
trust gate; otherwise they are ignored.
parse_trusted_proxies drops invalid CIDR entries with a tracing::warn!
rather than failing bootstrap: a single typo in a profile must not take
the whole replica offline.