📝 [Proposal]: Add Helpers for Internal IP Ranges about fiber HOT 4 OPEN

@xEricL I'm looking into this. I also found an issue, the more ranges you add to that list the longer a request takes.

from fiber.

@xEricL Yeah, that approach makes sense, let me do some benchmarks. Ibwant to make sure lookup times are consistent.

from fiber.

Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

from fiber.

@gaby Thank you for taking an interest in this.

I just want to clarify that the IP ranges I provided was not a complete list.

There are also:

- IPv4 Broadcast 255.255.255.255
- IPv4 Multicast 224.0.0.0/4
- IPv6 Multicast ff00::/8
- IPv6 Loopback ::1/128

There are a lot more ranges defined in RFC6890, RFC4291 and RFC4193.

What are your thoughts on simply adding another option to fiber.Config, such as TrustInternalIPs: true?

net/ip has nice helper functions for detecting address types, such as ip.IsPrivate() (added in Go 1.16).

ctx.go defines a method isLocalHost. We could implement a similar method to check for internal IPs:

// Note: These are the same ranges enabled by default when configuring an IP extractor in Echo.
// https://github.com/labstack/echo/blob/master/ip.go#L174
func (*DefaultCtx) isInternalHost(ip net.IP) bool {
	return ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast()
}

and then use it in IsProxyTrusted():

func (c *DefaultCtx) IsProxyTrusted() bool {
	...
        ip := c.fasthttp.RemoteIP()

	if c.app.config.TrustInternalIPs && c.isInternalHost(ip) { return true }

	if _, trusted := c.app.config.trustedProxiesMap[ip.String()]; trusted {
		return true
	}
	...
}

This seems to be a much better approach than my initial idea of adding constants for each individual range. I didn't realize there were so many to consider when I first opened this request. It might even have better performance compared to adding the equivalent IP ranges to the TrustedProxies list.

from fiber.