Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Conversation

@arp242
Copy link

@arp242 arp242 commented Jun 12, 2020

Fixes #453

Downside: this is not entirely backwards compatible; e.g. my app will
actually break because it assumes you're running it behind a proxy and
won't remove the port. Then again, it already breaks for people not
using a proxy, but in certain scenarios (e.g. some closed source app)
that will probably never really happen.

So ... maybe something for v5? Just thought I'd open a PR in any case.

Fixes #453

Downside: this is not entirely backwards compatible; e.g. my app will
actually break because it *assumes* you're running it behind a proxy and
won't remove the port. Then again, it already breaks for people not
using a proxy, but in certain scenarios (e.g. some closed source app)
that will probably never really happen.

So ... maybe something for v5? Just thought I'd open a PR in any case.
fn := func(w http.ResponseWriter, r *http.Request) {
if rip := realIP(r); rip != "" {
r.RemoteAddr = rip
r.RemoteAddr = net.JoinHostPort(rip, "0")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we add :0 port to the address? This doesn't make sense to me. Can you clarify?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because that's the format Go uses for RemoteAddr; see #453

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am wondering if the use of port 0 is actually the best way to go?
Since chi is an HTTP router - wouldn't 1.2.3.4 be equal to 1.2.3.4:80 (the default HTTP port)?
Or am I missing something?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's normally set to the source port, not destination port. Any value is "wrong", and at least 0 is "clearly wrong".

@pkieltyka
Copy link
Member

I think the best solution is to stop overwriting r.RemoteAddr from RealIP middleware and instead setting a value on the request context

@jawnsy
Copy link

jawnsy commented Feb 6, 2022

I think the best solution is to stop overwriting r.RemoteAddr from RealIP middleware and instead setting a value on the request context

@pkieltyka I think the problem with that approach is that it requires downstream consumers (either other middlewares or handlers) to be aware that the realip middleware is higher in the chain. It also means that removing the middleware (e.g. commenting out the r.Use line) would either require changes to downstream code (to stop checking for that context), or, I suppose compatibility logic in the middleware to just return the unmodified RemoteAddr in case the context does not exist. That behavior, in turn, seems like it could make debugging difficult in that case.

There are also some other disadvantages of the current approach (such as being vulnerable to spoofing attacks and having limited support for different header types) for which I'd like to propose some changes (I'll open a separate issue for that). Thanks for this awesome library!

@VojtechVitek VojtechVitek added v5 v6 and removed v5 labels Sep 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

RealIP sets r.RemoteAddr without port

5 participants