1 package middleware 2 3 // Ported from Goji's middleware, source: 4 // https://github.com/zenazn/goji/tree/master/web/middleware 5 6 import ( 7 "net/http" 8 "strings" 9 ) 10 11 var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For") 12 var xRealIP = http.CanonicalHeaderKey("X-Real-IP") 13 14 // RealIP is a middleware that sets a http.Request's RemoteAddr to the results 15 // of parsing either the X-Forwarded-For header or the X-Real-IP header (in that 16 // order). 17 // 18 // This middleware should be inserted fairly early in the middleware stack to 19 // ensure that subsequent layers (e.g., request loggers) which examine the 20 // RemoteAddr will see the intended value. 21 // 22 // You should only use this middleware if you can trust the headers passed to 23 // you (in particular, the two headers this middleware uses), for example 24 // because you have placed a reverse proxy like HAProxy or nginx in front of 25 // chi. If your reverse proxies are configured to pass along arbitrary header 26 // values from the client, or if you use this middleware without a reverse 27 // proxy, malicious clients will be able to make you very sad (or, depending on 28 // how you're using RemoteAddr, vulnerable to an attack of some sort). 29 func RealIP(h http.Handler) http.Handler { 30 fn := func(w http.ResponseWriter, r *http.Request) { 31 if rip := realIP(r); rip != "" { 32 r.RemoteAddr = rip 33 } 34 h.ServeHTTP(w, r) 35 } 36 37 return http.HandlerFunc(fn) 38 } 39 40 func realIP(r *http.Request) string { 41 var ip string 42 43 if xrip := r.Header.Get(xRealIP); xrip != "" { 44 ip = xrip 45 } else if xff := r.Header.Get(xForwardedFor); xff != "" { 46 i := strings.Index(xff, ", ") 47 if i == -1 { 48 i = len(xff) 49 } 50 ip = xff[:i] 51 } 52 53 return ip 54 } 55