Log the remote address, and only trust localhost proxies

I need the actual remote address to add fail2ban rules for it, but i
also to not want everyone to be able to fake X-Forward-For HTTP headers.
Which can contain multiple ip addresses, by the way, so i have to get
only the first one, as the others will be the proxies that the request
has been (re)forwarded to.
This commit is contained in:
jordi fita mas 2023-06-13 14:21:54 +02:00
parent ac28393398
commit d79ddc6731
2 changed files with 15 additions and 5 deletions

View File

@ -44,7 +44,7 @@ func Logger(handler http.Handler) http.Handler {
referer = "-" referer = "-"
} }
log.Printf("HTTP - %s - - [%s] \"%s %s %s\" %d %d \"%s\" \"%s\" %s\n", log.Printf("HTTP - %s - - [%s] \"%s %s %s\" %d %d \"%s\" \"%s\" %s\n",
r.RemoteAddr, remoteAddr(r),
t.Format("02/Jan/2006:15:04:05 -0700"), t.Format("02/Jan/2006:15:04:05 -0700"),
r.Method, r.Method,
r.URL.Path, r.URL.Path,

View File

@ -7,6 +7,7 @@ import (
"html/template" "html/template"
"net" "net"
"net/http" "net/http"
"strings"
"time" "time"
"golang.org/x/text/language" "golang.org/x/text/language"
@ -129,11 +130,20 @@ func HandleLogout(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
} }
func remoteAddr(r *http.Request) string { func remoteAddr(r *http.Request) string {
address := r.Header.Get("X-Forwarded-For") address, _, _ := net.SplitHostPort(r.RemoteAddr)
if address == "" { if address != "localhost" && address != "127.0.0.1" && address != "::1" {
address, _, _ = net.SplitHostPort(r.RemoteAddr)
}
return address return address
}
forwarded := r.Header.Get("X-Forwarded-For")
if forwarded == "" {
return address
}
ips := strings.Split(forwarded, ", ")
forwarded = ips[0]
if forwarded == "" {
return address
}
return forwarded
} }
func setSessionCookie(w http.ResponseWriter, cookie string) { func setSessionCookie(w http.ResponseWriter, cookie string) {