A Golang Middleware to handle X-Forwarded-For Header

X-Forwarded-For middleware fo Go godoc Build Status

Package xff is a net/http middleware/handler to parse Forwarded HTTP Extension in Golang.

Example usage

Install xff:

go get github.com/sebest/xff

Edit server.go:

package main

import (
  "net/http"

  "github.com/sebest/xff"
)

func main() {
  handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    w.Write([]byte("hello from " + r.RemoteAddr + "\n"))
  })

  xffmw, _ := xff.Default()
  http.ListenAndServe(":8080", xffmw.Handler(handler))
}

Then run your server:

go run server.go

The server now runs on localhost:8080:

$ curl -D - -H 'X-Forwarded-For: 42.42.42.42' http://localhost:8080/
HTTP/1.1 200 OK
Date: Fri, 20 Feb 2015 20:03:02 GMT
Content-Length: 29
Content-Type: text/plain; charset=utf-8

hello from 42.42.42.42:52661
Owner
Sebest
Sebest
https://github.com/sebest/xff
Comments
  • Added power support for the travis.yml file with ppc64le. and update go versions for package: xff

    Added power support for the travis.yml file with ppc64le. and update go versions for package: xff

    Added power support for the travis.yml file with ppc64le. This is part of the Ubuntu distribution for ppc64le. This helps us simplify testing later when distributions are re-building and re-releasing.

    updated the go version go:1.13, 1.14 and 1.15

  • add loopback range to default private masks

    add loopback range to default private masks

    Suggesting to add 127/8 to the default private masks range, it doesn't seem like things get much more private than the loopback. Per RFC5735 the whole of 127/8 is designated private:

    127.0.0.0/8 - This block is assigned for use as the Internet host loopback address. A datagram sent by a higher-level protocol to an address anywhere within this block loops back inside the host. This is ordinarily implemented using only 127.0.0.1/32 for loopback. As described in [RFC1122], Section 3.2.1.3, addresses within the entire 127.0.0.0/8 block do not legitimately appear on any network anywhere.

  • Incomplete private IP ranges

    Incomplete private IP ranges

    The privateMasks list is incomplete. Here is a good list to use: https://github.com/letsencrypt/boulder/blob/30a516737c9daa4c88c8c47070c25a5e7033cdcf/bdns/dns.go#L31-L145

    (Then you can also remove the ip.IsGlobalUnicast check.)

  • Not a RFC 7239

    Not a RFC 7239 "Forwarded" parser

    The README says that xff is intended to parse the RFC 7239 Forwarded header, but it's not -- it parses the X-Forwarded-For header. These are very different things.

  • Create xff Go module.

    Create xff Go module.

    Consider this change to make xff a Go module. This will not affect consumers which are not using modules, but will make it more convenient / easier for projects which are.

    Note that if you accept this change, releases should be tagged.

  • Properly parse nested proxy

    Properly parse nested proxy

    Closes #6

    Only continue parsing IP backwards if the proxy is in allowed IP range.

    This PR breaks the public interface by introducing allowed function parameter into Parse. Also the Parse behavior is now changed:

    • If invalid address are found, the last valid IP are returned instead of silently skipping those invalid address.
    • Local IP address can now be returned (IsPublicIP become unused function) as all local proxy IP should be listed in AllowedSubnets.

    I believe this breaking change is justified as it prevents people from having security issues by not providing insecure validation mechanism. It should be released as versioned package though (eg. using gopkg.in)

  • Allow for remote to be a private ip

    Allow for remote to be a private ip

    IsPublicIP is called from Parse, this applies even if we've configured AllowedSubnets. I'd still argue IsPublicIP does not belong as a filter by default since there's no reason why a proxy must be globally addressable (think entirely private services), but that could be a dangerous change to make at this point.

    I'd be happy to come up with a PR for this, is there some form you'd like to see this implemented?

Related tags
Actual middlewares xff
An HTTP client for go-server-timing middleware. Enables automatic timing propagation through HTTP calls between servers.

client-timing An HTTP client for go-server-timing middleware. Features: An HTTP Client or RoundTripper, fully compatible with Go's standard library. A

Dec 24, 2022
Fault injection library in Go using standard http middleware

Fault The fault package provides go http middleware that makes it easy to inject faults into your service. Use the fault package to reject incoming re

Dec 25, 2022
Dead simple rate limit middleware for Go.

Limiter Dead simple rate limit middleware for Go. Simple API "Store" approach for backend Redis support (but not tied too) Middlewares: HTTP, FastHTTP

Jan 7, 2023
Go middleware for monetizing your API on a per-request basis with Bitcoin and Lightning ⚡️

ln-paywall Go middleware for monetizing your API on a per-request basis with Bitcoin and Lightning ⚡️ Middlewares for: net/http HandlerFunc net/http H

Jan 6, 2023
Simple middleware to rate-limit HTTP requests.

Tollbooth This is a generic middleware to rate-limit HTTP requests. NOTE 1: This library is considered finished. NOTE 2: Major version changes are bac

Jan 4, 2023
Go (golang) library for creating and consuming HTTP Server-Timing headers
 Go (golang) library for creating and consuming HTTP Server-Timing headers

HTTP Server-Timing for Go This is a library including middleware for using HTTP Server-Timing with Go. This header allows a server to send timing info

Dec 8, 2022
A mock code autogenerator for Golang
 A mock code autogenerator for Golang

mockery provides the ability to easily generate mocks for golang interfaces using the stretchr/testify/mock package. It removes the boilerplate coding required to use mocks.

Jan 9, 2023
Traefik proxy plugin to extract HTTP header value and create a new header with extracted value

Copy header value Traefik plugin Traefik plugin that copies HTTP header value with format key1=value1; key2=value2 into a new header. Motivation for t

May 26, 2022
Krakend-jwt-header-rewriter - Kraken Plugin - JWT Header Rewriter

Kraken Plugin - JWT Header Rewriter 1 Plugin Configuration Name Desciption Defau

Feb 15, 2022
A middleware plugin for Traefik which replace a header in the response

Rewrite Header Rewrite header is a middleware plugin for Traefik which replace a header in the response Configuration Static pilot: token: "xxxx" e

Feb 11, 2022
Header Block is a middleware plugin for Traefik to block request and response headers which regex matched by their name and/or value

Header Block is a middleware plugin for Traefik to block request and response headers which regex matched by their name and/or value Conf

May 24, 2022
Log4Shell: a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values
 Log4Shell: a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values

Traefik (pronounced traffic) is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Traefik integrates with your ex

Dec 26, 2022
Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values.

Log4Shell Mitigation Log4Shell is a middleware plugin for Traefik which blocks JNDI attacks based on HTTP header values. Related to the Log4J CVE: htt

Dec 20, 2022
Gin-errorhandling - Gin Error Handling Middleware is a middleware for the popular Gin framework

Gin Error Handling Middleware Gin Error Handling Middleware is a middleware for

Sep 19, 2022
Wrapper to easily generate "X-Request-Auth" header for Mesh sites in golang.

hawk mesh go ?? ?? Description Wrapper to easily generate "X-Request-Auth" header for Mesh sites in golang. Based on hawk-go. Getting Started Import t

Dec 4, 2022
A Go library for doing header-based OAuth over HTTP or HTTPS.

Installation goinstall github.com/alloy-d/goauth Usage import ( "github.com/alloy-d/goauth" "os" ) func someFuncThatDoesStuffWithOAuth() (er

Sep 2, 2020
Customisable and automated HTTP header injection
 Customisable and automated HTTP header injection

headi Customisable and automated HTTP header injection. Example run from the HTB machine Control: InsecureSkipVerify is not currently configured, if y

Dec 31, 2022
Go http real ip header parser

remoteaddr Go http real ip header parser module A forwarders such as a reverse proxy or Cloudflare find the real IP address from the requests made to

Nov 18, 2022
Kafka tool to emit tombstones for messages based on header value matches

Langolier Langolier is a CLI tool to consume a Kafka topic and emit tombstones for messages matched by header name/value pairs. Usage Usage of langoli

Sep 22, 2021
Simple utility to get/set the PWM duty cycle and to measure the RPM for a fan connected to the 4-pin header on the CM4IO.

cm4iofan Simple utility to get/set the PWM duty cycle and to measure the RPM for a fan connected to the 4-pin header on the CM4IO. Requirements Enable

Mar 31, 2022