Skip to content

Resolve client IP via trusted proxies instead of trusting all X-Forwarded-For#245

Open
artemrootman wants to merge 3 commits into
mainfrom
fix/xff-trusted-proxy
Open

Resolve client IP via trusted proxies instead of trusting all X-Forwarded-For#245
artemrootman wants to merge 3 commits into
mainfrom
fix/xff-trusted-proxy

Conversation

@artemrootman

@artemrootman artemrootman commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Problem

ContextWithIps unioned every X-Forwarded-For token into the client IP set, and the allowed-ips check (local/drpc key PreCheckSetting) matched if any token equaled an allowed IP. A client connecting directly could therefore send X-Forwarded-For: <allowed-ip> and bypass a key's allowed-ips restriction.

Fix

Resolve a single client IP: use the direct peer (RemoteAddr) unless it is a configured trusted proxy (server.trusted-proxies, CIDRs or bare IPs), in which case take the right-most X-Forwarded-For entry that is not itself trusted.

With no trusted proxies configured (the default), X-Forwarded-For is ignored entirely, so the behavior is secure by default and opt-in for proxied deployments.

Tests

Table-driven coverage in pkg/utils: untrusted peer ignores a spoofed XFF, trusted peer takes the right-most untrusted hop, attacker-prepended entries are ignored, all-trusted hops fall back to the peer, plus ParseTrustedProxies validation.

…rded-For

ContextWithIps unioned every X-Forwarded-For token into the client IP set,
and the allowed-ips check (local/drpc key PreCheckSetting) matched if ANY
token equaled an allowed IP. A client connecting directly could therefore
send X-Forwarded-For: <allowed-ip> and bypass a key's allowed-ips restriction.

Resolve a single client IP: use the direct peer (RemoteAddr) unless it is a
configured trusted proxy (server.trusted-proxies, CIDRs or bare IPs), in which
case take the right-most X-Forwarded-For entry that is not itself trusted. With
no trusted proxies configured (the default), X-Forwarded-For is ignored, so the
behavior is secure by default and opt-in for proxied deployments.
@artemrootman artemrootman changed the title Resolve client IP via trusted proxies instead of trusting all X-Forwa… Resolve client IP via trusted proxies instead of trusting all X-Forwarded-For Jun 30, 2026
@mxssl
mxssl requested a review from KirillPamPam July 11, 2026 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant