Skip to content

httpsec: handle client ip with multiple http headers #1796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Mar 27, 2023
Merged

httpsec: handle client ip with multiple http headers #1796

merged 9 commits into from
Mar 27, 2023
+136 −103

Conversation

Julio-Guerra
Copy link
Contributor

@Julio-Guerra Julio-Guerra commented Mar 13, 2023
edited by eliottness
Loading

What does this PR do?

Update the client IP algorithm to now handle the presence of multiple IP-related HTTP headers. To do so, the IP-related HTTP headers we want to handle are now ordered and the first client IP found among them is the one returned.

Motivation

The former implementation was a temporary version to gather data and feedback on how users use those IP-related HTTP headers. We found that:

  1. There are multiple HTTP headers most of the time.
  2. We could order them for the commonly found cases.
    Read more about this at https://datadoghq.atlassian.net/wiki/spaces/APS/pages/2118779066/Client+IP+addresses+resolution

Describe how to test/QA your changes

Reviewer's Checklist

  • If known, an appropriate milestone has been selected; otherwise the Triage milestone is set.
  • Changed code has unit tests for its functionality.
  • If this interacts with the agent in a new way, a system test has been added.

Sorry, something went wrong.

@Julio-Guerra Julio-Guerra added this to the v1.49.0 milestone Mar 13, 2023
@Julio-Guerra Julio-Guerra requested a review from a team as a code owner March 13, 2023 10:45
@Julio-Guerra Julio-Guerra requested a review from a team March 13, 2023 10:45
@pr-commenter
Copy link

pr-commenter bot commented Mar 13, 2023
edited
Loading

Benchmarks

Comparing candidate commit c518a5e in PR branch julio.guerra/http-client-ip-update with baseline commit 5b4118f in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 18 metrics, 0 unstable metrics.

Hellzy
Hellzy approved these changes Mar 27, 2023
View reviewed changes
Copy link
Contributor

@Hellzy Hellzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good, thanks for this 👍

internal/appsec/dyngo/instrumentation/httpsec/tags.go
// none is present, it returns the first valid IP address present, possibly
// being a local IP address. The remote address, when valid, is used as fallback
// when no IP address has been found at all.
func ClientIP(hdrs map[string][]string, hasCanonicalMIMEHeaderKeys bool, remoteAddr string) (remoteIP, clientIP instrumentation.NetaddrIP) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit: maybe we can rename hasCanonicalMIMEHeaderKeys to something a bit shorter?
Something like hasCanonicalHeaders or even just canonicalHeaders?
No strong opinion there so I'm also fine leaving it as is.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed, but now this is validated I won't change it 😅
let's do this when we move it into go-appsec-internals

@Julio-Guerra Julio-Guerra merged commit 92653b1 into main Mar 27, 2023
@Julio-Guerra Julio-Guerra deleted the julio.guerra/http-client-ip-update branch March 27, 2023 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Hellzy Hellzy

@ahmed-mez ahmed-mez

Assignees
No one assigned
Labels
appsec tracer
Projects
None yet
Milestone
v1.49.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Julio-Guerra @Hellzy @ahmed-mez