8 months ago
Currently, there seems to be no way to retrieve real client IP address as
X-Forwarded-For and X-Real-Ip can't be trusted:
$ curl -i -H 'X-Forwarded-For: 8.8.8.8' -H 'X-Real-Ip: 9.9.9.9' https://utilities.up.railway.app/raw
HTTP/2 200
cache-control: no-cache, no-store, no-transform, must-revalidate, private, max-age=0
date: Fri, 23 Aug 2024 08:45:31 GMT
expires: Thu, 01 Jan 1970 00:00:00 GMT
pragma: no-cache
server: railway-edge
vary: Origin
x-accel-expires: 0
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1724402732
x-request-id: 4xFEj4mwROqGvD0r8CS0GA_3500563535
GET /raw HTTP/1.1
Host: utilities.up.railway.app
Accept: */*
Accept-Encoding: gzip
User-Agent: curl/8.8.0
X-Forwarded-For: 8.8.8.8, 37.166.86.65
X-Forwarded-Host: utilities.up.railway.app
X-Forwarded-Proto: https
X-Real-Ip: 9.9.9.9
X-Real-Ip: 37.166.86.65
X-Request-Id: 4xFEj4mwROqGvD0r8CS0GA_3500563535% This is definitely a blocker for me as I can't ratelimit public APIs of my services without there IP.
9 Replies
8 months ago
Hello,
The right most value of the X-Forwarded-For header is trustworthy, you would want to split and then use the last value in the array as the real IP, I'm sure most "trust proxy" middlewares will do this for you.
However, X-Real-IP being duplicated like that is a bug and I will report that, but for now you are not blocked here!
Please let me know if you have any more questions!
Status changed to Awaiting User Response railway[bot] • 8 months ago
8 months ago
Typically, leftmost address is client address (at least that's what MDN says: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For).
Go Fiber start parsing leftmost address first which can't be trusted so I will wait until X-Real-IP is fixed to switch to new proxy. Please let me know when this is fixed.
https://github.com/gofiber/fiber/blob/260c5e5406874e6d9a48ec2ef2c862d64a530e0b/ctx.go#L795
Thanks for your help, have a great day!
Status changed to Awaiting Railway Response railway[bot] • 8 months ago
8 months ago
Just for clarity, Is the DNS IP and the client IPs positions swapped when using the Legacy proxy?
Status changed to Awaiting User Response railway[bot] • 8 months ago
8 months ago
I guess you meant proxy IPs and client IP, I don't know as I'm relying on the X-Envoy-External-Address header currently.
Status changed to Awaiting Railway Response railway[bot] • 8 months ago
Status changed to Awaiting User Response railway[bot] • 8 months ago
8 months ago
X-Forwarded-For on Envoy behaves the same way as it does on the new edge proxy, so no functional change will happen there.
I will now report the X-Real-Ip duplication issue.
8 months ago
Hello, this has now been fixed, the client can no longer set the X-Real-Ip header.
Status changed to Awaiting Railway Response railway[bot] • 8 months ago
8 months ago
Would have been faster but I was in a call haha.
let me know if you find any more oddities' like this!
Status changed to Awaiting User Response railway[bot] • 8 months ago
Status changed to Solved brody • 8 months ago