package middleware // Ported from Goji's middleware, source: // https://github.com/zenazn/goji/tree/master/web/middleware import ( "net/http" "strings" ) var xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For") var xRealIP = http.CanonicalHeaderKey("X-Real-IP") // RealIP is a middleware that sets a http.Request's RemoteAddr to the results // of parsing either the X-Forwarded-For header or the X-Real-IP header (in that // order). // // This middleware should be inserted fairly early in the middleware stack to // ensure that subsequent layers (e.g., request loggers) which examine the // RemoteAddr will see the intended value. // // You should only use this middleware if you can trust the headers passed to // you (in particular, the two headers this middleware uses), for example // because you have placed a reverse proxy like HAProxy or nginx in front of // Goji. If your reverse proxies are configured to pass along arbitrary header // values from the client, or if you use this middleware without a reverse // proxy, malicious clients will be able to make you very sad (or, depending on // how you're using RemoteAddr, vulnerable to an attack of some sort). func RealIP(h http.Handler) http.Handler { fn := func(w http.ResponseWriter, r *http.Request) { if rip := realIP(r); rip != "" { r.RemoteAddr = rip } h.ServeHTTP(w, r) } return http.HandlerFunc(fn) } func realIP(r *http.Request) string { var ip string if xff := r.Header.Get(xForwardedFor); xff != "" { i := strings.Index(xff, ", ") if i == -1 { i = len(xff) } ip = xff[:i] } else if xrip := r.Header.Get(xRealIP); xrip != "" { ip = xrip } return ip }