Open banool opened 6 months ago
imbolc
commented
6 months ago Yeah, I've skimmed through the docs and it seems to be correct:
X-Forwarded-For: <supplied-value>,<client-ip>,<load-balancer-ip>Can we add a SecureClientIpSource::XForwardedFor variant?
Do you mean SecondRightmostXForwardedFor? I think we can, with a comment that if users aren't sure, they probably need the RightmostXForwardedFor and mentioning GCP LBs.
Would you provide a PR?
imbolc
commented
6 months ago Ah, sorry, I've missed the issue header, returning multiple ips would require changing the extractor: struct SecureClientIp(pub IpAddr). The current idea is to make the code work on different hosting platforms by setting SecureClientIpSource from e.g. env variables. So it assumes the same behaviour (returning a single ip) for all the sources.
Are you suggesting changing it to return multiple IPs instead? Wouldn't it imply some imperative logic on the user's part to get the correct IP depending on the source anyway?
It seems like SecureClientIpSource only has a RightmostXForwardedFor variant. With GCP LBs, the client IP is the 2nd rightmost IP. Can we add a SecureClientIpSource::XForwardedFor variant?
I see this mentioned in a similar issue but that issue was closed since the author ended up using InsecureClientIp: https://github.com/imbolc/axum-client-ip/issues/24.