1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
package cloudflare
import (
"fmt"
"net/http"
"net/netip"
)
// RealIP returns middleware to update the remote address to the value of
// CF-Connecting-IP if the request is from a Cloudflare prefix. For this to be
// secure, the Host header must be verified.
func RealIP(onError func(*http.Request, error)) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if cfip := r.Header.Get("CF-Connecting-IP"); cfip != "" {
if raddr, err := netip.ParseAddrPort(r.RemoteAddr); err == nil {
if HasIP(raddr.Addr()) {
if x, err := netip.ParseAddr(cfip); err == nil {
r2 := *r
r2.RemoteAddr = netip.AddrPortFrom(x, raddr.Port()).String()
r = &r2
} else if onError != nil {
onError(r, fmt.Errorf("parse CF-Connecting-IP: %w", err))
}
} else if onError != nil {
onError(r, fmt.Errorf("have CF-Connecting-IP, but ip %s is not Cloudflare", raddr.Addr()))
}
} else if onError != nil {
onError(r, fmt.Errorf("parse remote addr: %w", err))
}
}
next.ServeHTTP(w, r)
})
}
}
|
