realip

README

realip for Caddy v2

This repo is a port of captncraig's "realip" module to Caddy v2. See original plugin below:

https://github.com/captncraig/caddy-realip

Syntax

# tell caddy to process realip before other plugins
order realip first

realip {
    header name
    from cidr
    maxhops #
    strict
}

name is the name of the header containing the actual IP address. recommended value is "X-Forwarded-For".

cidr is the address range of expected proxy servers. As a security measure, IP headers are only accepted from known proxy servers. Must be a valid cidr block notation. This may be specified multiple times. cloudflare and cloudfront are currently supported.

maxhops specifies a limiting number of forwards if using "X-Forwarded-For" or similar headers as the identifier. Recommended value is 5.

strict, if specified, will reject requests from unkown proxy IPs with a 403 status. If not specified, it will simply leave the original IP in place.

Example

Simple usage to read X-Forwarded-For from cloudflare:

# tell caddy to process realip before other plugins
order realip first

realip {
  header "X-Forwarded-For"
  from cloudflare
  maxhops 5
}

Documentation

Index

• func LoadCloudFront() ([]*net.IPNet, error)
• func LoadCloudflare() ([]*net.IPNet, error)
• func MustParseCIDR(cidr string) *net.IPNet
• type AwsIPRanges
• type CIDRSet
• type CIDRUpdater
• type RealIP
  • func (RealIP) CaddyModule() caddy.ModuleInfo
  • func (m *RealIP) Cleanup() error
  • func (m *RealIP) Provision(ctx caddy.Context) error
  • func (m RealIP) ServeHTTP(w http.ResponseWriter, req *http.Request, handler caddyhttp.Handler) error
  • func (m *RealIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error

Functions

func LoadCloudFront

func LoadCloudFront() ([]*net.IPNet, error)

func LoadCloudflare

func LoadCloudflare() ([]*net.IPNet, error)

func MustParseCIDR

func MustParseCIDR(cidr string) *net.IPNet

Types

type AwsIPRanges

type AwsIPRanges struct {
	SyncToken  string `json:"syncToken"`
	CreateDate string `json:"createDate"`
	Prefixes   []struct {
		IPPrefix           string `json:"ip_prefix"`
		Region             string `json:"region"`
		Service            string `json:"service"`
		NetworkBorderGroup string `json:"network_border_group"`
	} `json:"prefixes"`
}

type CIDRSet

type CIDRSet struct {
	Ranges []*net.IPNet
	Update CIDRUpdater
}

type CIDRUpdater

type CIDRUpdater func() ([]*net.IPNet, error)

type RealIP

type RealIP struct {

	// Presets stores the presets that should be loaded
	Presets []string `json:"presets"`

	// From stores any manually included presets
	From []*net.IPNet `json:"from"`

	// Header to load an IP Address from typically X-Forwarded-For
	Header string `json:"header"`

	// MaxHops configures the maxiumum number of hops or IPs to be found in a forward header.
	// It's purpose is to prevent abuse and/or DOS attacks from long forward-chains, since each one
	// must be parsed and checked against a list of subnets.
	// The default is 5, -1 to disable. If set to 0, any request with a forward header will be rejected
	MaxHops int `json:"max_hops"`

	// Will reject the request if a valid IP address can not be found
	Strict bool `json:"strict"`

	// How often the dynamic presets are reloaded
	RefreshFrequency caddy.Duration `json:"refresh_frequency"`
	// contains filtered or unexported fields
}

func (RealIP) CaddyModule

func (RealIP) CaddyModule() caddy.ModuleInfo

func (*RealIP) Cleanup

func (m *RealIP) Cleanup() error

func (*RealIP) Provision

func (m *RealIP) Provision(ctx caddy.Context) error

func (RealIP) ServeHTTP

func (m RealIP) ServeHTTP(w http.ResponseWriter, req *http.Request, handler caddyhttp.Handler) error

func (*RealIP) UnmarshalCaddyfile

func (m *RealIP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error