Make the client IP accessible from a request_filter

cloudflare / pingora

A library for building fast, reliable and evolvable network services.

Apache License 2.0

20.35k stars 1.1k forks source link

Make the client IP accessible from a request_filter #105

Closed LessThanGreaterThan closed 3 months ago

LessThanGreaterThan commented 4 months ago

What is the problem your feature solves, or the need it fulfills?

I would like to access the IP of a user connecting to a pingora proxy server to allow for further filtering/routing.

This could be used for rate limits or a "per user" upstream selection

Describe the solution you'd like

a function in the Session struct to give out the IP address

Describe alternatives you've considered

I don't see how i could implement a ip based rate limit without an IP on the application level, an alternative would be using nftables but that seems far from optimal.

Additional context

None

BrandonLeeDotDev commented 4 months ago

It looks like the addr is just being dropped... pingora-core/src/protocols/l4/listener.rs or am I missing something?

impl Listener {
    /// Accept a connection from the listening endpoint
    pub async fn accept(&self) -> io::Result<Stream> {
        match &self {
            Self::Tcp(l) => l.accept().await.map(|(stream, _)| stream.into()),
            Self::Unix(l) => l.accept().await.map(|(stream, _)| stream.into()),
        }
    }
}

Please pass along the addr so we can rate limit, add it to forwarding headers, modify iptables, or what ever may be needed

dward commented 4 months ago

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

LessThanGreaterThan commented 4 months ago

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

this would be pretty helpful as it allows to generate JA3 fingerprints etc.

drcaramelsyrup commented 4 months ago

We're also looking at this internally right now too!

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

Server IP/port can probably be bundled with this ask, I think additional metadata deserves its own tracking issue.

drcaramelsyrup commented 3 months ago

client_addr() (and server_addr()) are now methods accessible from Session in 20fd391f3e78c9349149f11fae94da9e4657478e.

leric commented 3 months ago

This feature has released in v0.1.1, but the crate repo hasn't get this update, might need some manual operation https://crates.io/crates/pingora