real-ip only via enabled config *security

go-siris / siris

DEPRECATED: The community driven fork of Iris. The fastest web framework for Golang!

Other

142 stars 16 forks source link

real-ip only via enabled config *security #32

Closed Dexus closed 7 years ago

Dexus commented 7 years ago

Make real ip headers only change the remoteAddress when the config is set else visitors are able to fake own ip addresses... Make config variable to enable differend types of "proxys".

hiveminded commented 7 years ago

Thanks for pointing that out on that commit's comment.

at ion, an iris-based framework too, we fixed that with the following options: WithRemoteAddrHeader/WithoutRemoteAddrHeader that can be passed to the app.Run.

You're free to see the code and apply these fixes on this repo too, the commit is: https://github.com/get-ion/ion/commit/a4e550dc37b0d27384c3b84c1015de1db4009d3b

Best regards from @get-ion !

Dexus commented 7 years ago

@hiveminded please note "CF-Connecting-IP" not "HTTP_CF_CONNECTING_IP" cause of real headers and not a PHP/FCGI Client or Server that change the header to UPPERCASE and prefixing the header names to prevent overwriting the environments...