search

pbojinov / request-ip

A Node.js module for retrieving a request's IP address on the server.
https://npmjs.com/package/request-ip
MIT License
823 stars 102 forks source link

Add prioritize option for header check order #75

Open Chheung opened 1 year ago

Chheung commented 1 year ago

So X-Forwarded-For header can be exploited with this library if we add XFF header in the request. On Nginx, we can use the alternative X-Real-IP header for $remote_addr value.

Maybe we can add something like below?

app.use( clientIp.mw({ prioritize: ["x-real-ip",], }) );

This will push change header priority list from default [ 'x-client-ip', 'x-forwarded-for', 'cf-connecting-ip', 'fastly-client-ip', 'true-client-ip', 'x-real-ip', 'x-cluster-client-ip', 'x-forwarded', 'forwarded-for', 'forwarded', 'x-appengine-user-ip', ];

to

[ 'x-real-ip', 'x-client-ip', 'x-forwarded-for', 'cf-connecting-ip', 'fastly-client-ip', 'true-client-ip', 'x-cluster-client-ip', 'x-forwarded', 'forwarded-for', 'forwarded', 'x-appengine-user-ip', ];

Screen Shot 2022-12-20 at 4 27 59 PM Screen Shot 2022-12-20 at 4 31 43 PM
Chheung commented 1 year ago

I will make a PR on this. https://github.com/pbojinov/request-ip/pull/76