Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add port number to RealIP middleware #518

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add port number to RealIP middleware #518

wants to merge 1 commit into from

Conversation

arp242
Copy link

@arp242 arp242 commented Jun 12, 2020

Fixes #453

Downside: this is not entirely backwards compatible; e.g. my app will
actually break because it assumes you're running it behind a proxy and
won't remove the port. Then again, it already breaks for people not
using a proxy, but in certain scenarios (e.g. some closed source app)
that will probably never really happen.

So ... maybe something for v5? Just thought I'd open a PR in any case.

@arp242
Add port number to RealIP middleware
2a141d0 
Fixes #453

Downside: this is not entirely backwards compatible; e.g. my app will
actually break because it *assumes* you're running it behind a proxy and
won't remove the port. Then again, it already breaks for people not
using a proxy, but in certain scenarios (e.g. some closed source app)
that will probably never really happen.

So ... maybe something for v5? Just thought I'd open a PR in any case.
VojtechVitek
VojtechVitek reviewed Jun 14, 2020
View reviewed changes
middleware/realip.go
@@ -29,7 +30,7 @@ var xRealIP = http.CanonicalHeaderKey("X-Real-IP")
func RealIP(h http.Handler) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
if rip := realIP(r); rip != "" {
r.RemoteAddr = rip
r.RemoteAddr = net.JoinHostPort(rip, "0")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we add :0 port to the address? This doesn't make sense to me. Can you clarify?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because that's the format Go uses for RemoteAddr; see #453

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if the use of port 0 is actually the best way to go?
Since chi is an HTTP router - wouldn't 1.2.3.4 be equal to 1.2.3.4:80 (the default HTTP port)?
Or am I missing something?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's normally set to the source port, not destination port. Any value is "wrong", and at least 0 is "clearly wrong".

@pkieltyka
Copy link
Member

I think the best solution is to stop overwriting r.RemoteAddr from RealIP middleware and instead setting a value on the request context

@jawnsy
Copy link

jawnsy commented Feb 6, 2022

I think the best solution is to stop overwriting r.RemoteAddr from RealIP middleware and instead setting a value on the request context

@pkieltyka I think the problem with that approach is that it requires downstream consumers (either other middlewares or handlers) to be aware that the realip middleware is higher in the chain. It also means that removing the middleware (e.g. commenting out the r.Use line) would either require changes to downstream code (to stop checking for that context), or, I suppose compatibility logic in the middleware to just return the unmodified RemoteAddr in case the context does not exist. That behavior, in turn, seems like it could make debugging difficult in that case.

There are also some other disadvantages of the current approach (such as being vulnerable to spoofing attacks and having limited support for different header types) for which I'd like to propose some changes (I'll open a separate issue for that). Thanks for this awesome library!

@VojtechVitek VojtechVitek added v5 v6 and removed v5 labels Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavelpascari pavelpascari pavelpascari left review comments

@VojtechVitek VojtechVitek VojtechVitek left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
v6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

RealIP sets r.RemoteAddr without port
5 participants
@arp242 @pkieltyka @jawnsy @VojtechVitek @pavelpascari