aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fcafffdb24'
${ noResults }
boundary/internal/daemon/common/client_ip.go

65 lines
2.1 KiB
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package common
import (
"context"
"net"
"net/http"
"strings"
"github.com/hashicorp/boundary/internal/errors"
"github.com/hashicorp/go-secure-stdlib/listenerutil"
)
// ClientIpFromRequest will determine the client IP of the http request
func ClientIpFromRequest(ctx context.Context, listenerCfg *listenerutil.ListenerConfig, r *http.Request) (string, error) {
const op = "common.ClientIpFromRequest"
if r == nil {
return "", errors.New(ctx, errors.InvalidParameter, op, "missing http request")
}
if listenerCfg == nil {
return "", errors.New(ctx, errors.InvalidParameter, op, "missing listener config")
}
// using the XForwardedFor* listener config settings to determine how/if
// X-Forwarded-For are trusted/allowed for an inbound request.
trustedForwardedFor, remoteAddr, err := listenerutil.TrustedFromXForwardedFor(r, listenerCfg)
switch {
case err != nil:
return "", errors.Wrap(ctx, err, op, errors.WithMsg("failed to determine trusted X-Forwarded-For"))
case trustedForwardedFor == nil && remoteAddr == nil:
ip, err := ipFromRequestRemoteAddr(ctx, r)
if err != nil {
return "", errors.Wrap(ctx, err, op)
}
if listenerCfg.Type == "unix" && ip == "" {
// Some platforms (Linux) use "@" in this case but some like Mac
// leave it empty which causes issues with the rate limiting logic,
// so standardize on "@" in this case.
return "@", nil
}
return ip, nil
case trustedForwardedFor == nil && remoteAddr != nil:
// not reachable given listenerutil.TrustedFromXForwardedFor
// implementation in 11/2021 but that could change in the future, so
// this case is explicitly handled
return remoteAddr.Host, nil
default:
return trustedForwardedFor.Host, nil
}
}
func ipFromRequestRemoteAddr(ctx context.Context, r *http.Request) (string, error) {
const op = "common.ipFromRequestRemoteAddr"
if strings.ContainsRune(r.RemoteAddr, ':') {
if ip, _, err := net.SplitHostPort(r.RemoteAddr); err != nil {
return "", errors.Wrap(ctx, err, op)
} else {
return ip, nil
}
}
return r.RemoteAddr, nil
}
Reference in new issue View Git Blame Copy Permalink