Use first public IP (don't bypass RemoteAddr automatically)

tomasen / realip

a golang library that can get client's real public ip address from http request headers

MIT License

221 stars 47 forks source link

Use first public IP (don't bypass RemoteAddr automatically) #9

Open henvic opened 6 years ago

henvic commented 6 years ago

This isn't affecting me (or I'd send a pull request), but I believe instead of bypassing RemoteAddr if X-Forwarded-For or X-Real-Ip header exists you should test whether RemoteAddr is public. If it is, use this value. This would be the safer (in terms of security) thing to do.

Also, you might want to have a look into https://tools.ietf.org/html/rfc7239 if you decide to support other headers.

dayuoba commented 6 years ago

@henvic hi may you pls give more details about the insecure problem happy to know about this : )