You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, adding loopback, link-local, and private network addresses to the fiber.Config.TrustedProxies list requires us to manually add those ranges. Since web apps are commonly deployed behind reverse proxies, it would be helpful to have a simple way of adding these ranges without needing to search them up.
When configuring trusted proxies in Echo framework, the setup is a bit different:
e:=echo.New()
_, myProxyRange, _:=net.ParseCIDR("173.245.48.0/20")
e.IPExtractor=echo.ExtractIPFromXFFHeader(
echo.TrustLoopback(true), // e.g. ipv4 start with 127. echo.TrustLinkLocal(true), // e.g. ipv4 start with 169.254echo.TrustPrivateNet(true), // e.g. ipv4 start with 10. or 192.168echo.TrustIPRange(myProxyRange),
)
In Fiber, an equivalent setup would look something like
Although I prefer Fiber's method of using an array of strings, it would be nice to have constants like:
// Fiber helpers.go// Note: This is not an exhaustive list.const (
...IPv4Loopback="127.0.0.0/8"IPv4LinkLocal="169.254.0.0/16"IPv4PrivateSmall="192.168.0.0/16"IPv4PrivateMedium="172.16.0.0/12"IPv4PrivateLarge="10.0.0.0/8"IPv6Loopback="::1/128"IPv6LinkLocal="fe80::/10"IPv6PrivateNet="fc00::/7"
)
They don't necessarily need to be constants. We could add a new config option to fiber.Config instead:
app:=fiber.New(fiber.Config{
ProxyHeader: fiber.HeaderXForwardedFor,
EnableTrustedProxyCheck: true,
TrustInternalIPs: true, // default to falseTrustedProxies: []string{
"173.245.48.0/20", // My custom range
},
})
This would be far easier, but at the cost of allowing developers to cherry pick individual ranges. Those cases are probably rare though, which might be why Echo's helper functions for these ranges default to true.
Thanks for opening your first issue here! 馃帀 Be sure to follow the issue template! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord
What are your thoughts on simply adding another option to fiber.Config, such as TrustInternalIPs: true?
net/ip has nice helper functions for detecting address types, such as ip.IsPrivate() (added in Go 1.16).
ctx.go defines a method isLocalHost. We could implement a similar method to check for internal IPs:
// Note: These are the same ranges enabled by default when configuring an IP extractor in Echo.// https://github.com/labstack/echo/blob/master/ip.go#L174func (*DefaultCtx) isInternalHost(ip net.IP) bool {
returnip.IsLoopback() ||ip.IsPrivate() ||ip.IsLinkLocalUnicast()
}
This seems to be a much better approach than my initial idea of adding constants for each individual range. I didn't realize there were so many to consider when I first opened this request. It might even have better performance compared to adding the equivalent IP ranges to the TrustedProxies list.
Feature Proposal Description
Currently, adding loopback, link-local, and private network addresses to the
fiber.Config.TrustedProxies
list requires us to manually add those ranges. Since web apps are commonly deployed behind reverse proxies, it would be helpful to have a simple way of adding these ranges without needing to search them up.When configuring trusted proxies in Echo framework, the setup is a bit different:
In Fiber, an equivalent setup would look something like
Although I prefer Fiber's method of using an array of strings, it would be nice to have constants like:
This would allow developers to use
They don't necessarily need to be constants. We could add a new config option to
fiber.Config
instead:This would be far easier, but at the cost of allowing developers to cherry pick individual ranges. Those cases are probably rare though, which might be why Echo's helper functions for these ranges default to true.
Alignment with Express API
Express.js allows developers to set trusted proxy settings using pre-defined subnets:
HTTP RFC Standards Compliance
n/a (this is a quality of life improvement)
API Stability
IP address ranges don't change.
Feature Examples
Checklist:
The text was updated successfully, but these errors were encountered: