Comments (4)
@xEricL I'm looking into this. I also found an issue, the more ranges you add to that list the longer a request takes.
from fiber.
@xEricL Yeah, that approach makes sense, let me do some benchmarks. Ibwant to make sure lookup times are consistent.
from fiber.
Thanks for opening your first issue here! 🎉 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord
from fiber.
@gaby Thank you for taking an interest in this.
I just want to clarify that the IP ranges I provided was not a complete list.
There are also:
- IPv4 Broadcast 255.255.255.255
- IPv4 Multicast 224.0.0.0/4
- IPv6 Multicast ff00::/8
- IPv6 Loopback ::1/128
There are a lot more ranges defined in RFC6890, RFC4291 and RFC4193.
What are your thoughts on simply adding another option to fiber.Config
, such as TrustInternalIPs: true
?
net/ip has nice helper functions for detecting address types, such as ip.IsPrivate() (added in Go 1.16).
ctx.go
defines a method isLocalHost. We could implement a similar method to check for internal IPs:
// Note: These are the same ranges enabled by default when configuring an IP extractor in Echo.
// https://github.com/labstack/echo/blob/master/ip.go#L174
func (*DefaultCtx) isInternalHost(ip net.IP) bool {
return ip.IsLoopback() || ip.IsPrivate() || ip.IsLinkLocalUnicast()
}
and then use it in IsProxyTrusted()
:
func (c *DefaultCtx) IsProxyTrusted() bool {
...
ip := c.fasthttp.RemoteIP()
if c.app.config.TrustInternalIPs && c.isInternalHost(ip) { return true }
if _, trusted := c.app.config.trustedProxiesMap[ip.String()]; trusted {
return true
}
...
}
This seems to be a much better approach than my initial idea of adding constants for each individual range. I didn't realize there were so many to consider when I first opened this request. It might even have better performance compared to adding the equivalent IP ranges to the TrustedProxies
list.
from fiber.
Related Issues (20)
- 📒 [docs]: Fix broken link in FAQ section HOT 1
- How to use Middleware handler HOT 3
- 🤗 [Question]: Why v3 has no option to DisableStartupMessage HOT 2
- 🤗 [Question]: upstream reply with long time HOT 8
- 🤗 [Question]: i get v3 docs are not exactly v3 docs HOT 1
- 📝 [Proposal]: Re-introduce the DisableStartupMessage configuration option in Fiber v3 HOT 2
- 🤗 [Question]: How to disable logger middleware in some endpoints HOT 2
- 🐛 [Bug]: Prefork Not Working on Fiber v3 HOT 2
- 📝 [Proposal]: shutdown procedure
- 🐛 [Bug]: incorrect routing when adding a default layout HOT 4
- 🐛 [Bug]: Middleware Monitor "CPU Usage" is a "static value". HOT 2
- 🐛 [Bug]: Appending handlers screws up routing HOT 2
- 🤗 [Question]: get param from path for proxy pass request HOT 1
- 🐛 [Bug]: Abort Signal HOT 5
- 🤗 [Question]: Enable DisableHeaderNormalizing config will occur wrong cors middleware behaviour HOT 11
- 🤗 [Question]: Question on ETag Docs HOT 1
- 🤗 [Question]: Does Fiber handle each request in different goroutines? HOT 2
- 📝 [Feature] [v2]: Add a function to get the session expiry HOT 5
- 🐛 [Bug]: setting a Logger that access TLSConnectionState() will break when `app.Server().MaxConnsPerIP` is set to a value HOT 7
- 🤗 [Question]: Fiber http with Cloudflare ssl reverse leading to 525, SSL handshake failed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fiber.