README
¶
Trusted proxy net/http middleware
bajankristof/trustedproxy is a net/http middleware for Go that helps you get the real client IP address (using the rightmost non-trusted IP algorithm) and scheme when your application is behind a trusted proxy. It uses a list of trusted proxy IP address prefixes to determine if the request is coming from a trusted proxy and then updates the request's RemoteAddr based on the X-Forwarded-For header and marks the request as secure if the X-Forwarded-Proto header indicates that the original request was made over HTTPS.
You can use trustedproxy.IsSecure(r) to check whether the request can be considered secure.
The request can only be considered secure if it came from a trusted proxy with the X-Forwarded-Proto header set to "https" or if the request did NOT come from a trusted proxy but was made over HTTPS.
You can also use trustedproxy.RemoteAddr(r) to get the remote address of the reverse proxy that forwarded the request.
If the request did NOT come from a trusted proxy, this function will return the same value as
r.RemoteAddr.
The middleware follows the standard net/http middleware pattern and can be easily integrated into your existing Go web application.
Installation
go get github.com/bajankristof/trustedproxy
Usage
package main
import (
"fmt"
"log/slog"
"net/http"
"net/netip"
"os"
"github.com/bajankristof/trustedproxy"
)
func main() {
// tp := trustedproxy.Default() to use the default trusted proxy IP ranges (loopback and private networks)
tp, err := trustedproxy.New(
trustedproxy.WithString("127.0.0.1"), // Add a concrete IP address as a trusted proxy
trustedproxy.WithString("192.168.0.0/16"), // Add an IP address range as a trusted proxy
trustedproxy.WithStrings("2001:db9::1", "2001:db9::2", "2001:db8::/32"), // Add multiple concrete IPv6 addresses as trusted proxies
trustedproxy.WithPrefix(netip.MustParsePrefix("2001:db8::/32")), // Add an IP address range as a trusted proxy using net.IPNet
)
if err != nil {
slog.Error(err.Error())
os.Exit(1)
}
http.Handle("/", tp.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
fmt.Println(r.RemoteAddr) // Prints the real client IP address
fmt.Println(trustedproxy.RemoteAddr(r)) // Prints the remote address of the reverse proxy
fmt.Println(trustedproxy.IsSecure(r)) // Prints whether the request can be considered secure
if _, err := w.Write([]byte("Hello, World!")); err != nil {
slog.Error(err.Error())
}
})))
if err := http.ListenAndServe(":8080", nil); err != nil {
slog.Error(err.Error())
os.Exit(1)
}
}
Documentation
¶
Index ¶
- func DefaultPrefixes() []netip.Prefix
- func IsSecure(r *http.Request) bool
- func RemoteAddr(r *http.Request) string
- type Option
- type TrustedProxy
- func (tp *TrustedProxy) AddIP(ip netip.Addr)
- func (tp *TrustedProxy) AddPrefix(prefix netip.Prefix)
- func (tp *TrustedProxy) AddString(s string) error
- func (tp *TrustedProxy) Check(r *http.Request) bool
- func (tp *TrustedProxy) Contains(ip netip.Addr) bool
- func (tp *TrustedProxy) Handler(h http.Handler) http.Handler
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DefaultPrefixes ¶
DefaultPrefixes returns the default trusted proxy IP ranges: loopback (127.0.0.1/32, ::1/128) and private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).
func IsSecure ¶ added in v0.1.2
IsSecure reports whether the request can be considered secure. A request is considered secure if it came from a trusted proxy with the X-Forwarded-Proto header set to "https", or if it did not come from a trusted proxy but was made over HTTPS (r.TLS != nil). When the request came from a trusted proxy, r.TLS is ignored — only X-Forwarded-Proto determines the result.
func RemoteAddr ¶ added in v0.1.2
RemoteAddr returns the remote address of the reverse proxy that forwarded the request. If the request did not come from a trusted proxy, it returns the same value as r.RemoteAddr.
Types ¶
type Option ¶
type Option func(*TrustedProxy) error
func WithDefaults ¶
func WithDefaults() Option
WithDefaults adds the default trusted proxy IP ranges to the TrustedProxy. See DefaultPrefixes for the list of ranges.
func WithPrefix ¶
WithPrefix adds the given IP prefix to the TrustedProxy.
func WithPrefixes ¶
WithPrefixes adds the given IP prefixes to the TrustedProxy.
func WithString ¶
WithString adds the given string IP prefix or IP to the TrustedProxy.
func WithStrings ¶
WithStrings adds the given string IP prefixes or IPs to the TrustedProxy.
type TrustedProxy ¶
type TrustedProxy struct {
// contains filtered or unexported fields
}
TrustedProxy holds a list of trusted proxy IP prefixes. All methods are safe for concurrent use.
func Default ¶
func Default() *TrustedProxy
Default creates a new TrustedProxy with the default trusted proxy IP ranges. See DefaultPrefixes.
func New ¶
func New(opts ...Option) (*TrustedProxy, error)
New creates a new TrustedProxy with the given string IP prefixes or IPs.
func (*TrustedProxy) AddIP ¶
func (tp *TrustedProxy) AddIP(ip netip.Addr)
AddIP marks requests from the given IP address as coming from a trusted proxy.
func (*TrustedProxy) AddPrefix ¶
func (tp *TrustedProxy) AddPrefix(prefix netip.Prefix)
AddPrefix marks requests from the given prefix as coming from a trusted proxy.
func (*TrustedProxy) AddString ¶
func (tp *TrustedProxy) AddString(s string) error
AddString marks requests from the given string IP prefix or IP as coming from a trusted proxy.
func (*TrustedProxy) Check ¶
func (tp *TrustedProxy) Check(r *http.Request) bool
Check returns whether the request came from a trusted proxy based on the remote address of the request.
func (*TrustedProxy) Contains ¶
func (tp *TrustedProxy) Contains(ip netip.Addr) bool
Contains returns whether the given IP address is in the list of trusted proxies.
func (*TrustedProxy) Handler ¶
func (tp *TrustedProxy) Handler(h http.Handler) http.Handler
Handler returns a handler that updates the request's RemoteAddr field and its context based on the X-Forwarded-For and X-Forwarded-Proto headers if the remote address of the request is in the list of trusted proxies before invoking the handler h.
Source Files
Directories