-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: expose actual remote address #175
Comments
Ah, so you'd like go-httpbin sitting behind your load balancer to report the IP address of the load balancer itself, rather than make an attempt to return the actual client IP address? That's interesting, I'd be curious to hear more about your use case here if you're willing and able to share! I'm reluctant to enable something like this by default, as it would expose potentially sensitive details about the network and infrastructure where an instance of go-httpbin is deployed, but if you or someone else opened a pull request adding a new, optional I'd probably want it modeled after the |
I was trying to figure out what the load balancer(s) were: my thought to debug/discover the system was to throw up a go-httpbin image using the existing CI pipelines, and see where the connections were coming from
Isn't that usually already available in I also note that at the moment the client can easily fake their IP as long as you aren't behind fly.io (the first preference in the code) e.g. |
Ha, yes, that's a good point! But doesn't that also eliminate the need for adding a new endpoint? # original example:
# $ curl -s https://httpbingo.org/headers | jq -r '.headers["X-Forwarded-For"][0]' | awk '{print $NF}'
# slightly more robust/correct example:
$ curl -s https://httpbingo.org/headers | jq -r '.headers["X-Forwarded-For"][0]' | awk -F, '{print $NF}' | tr -d ' '
66.241.125.232
Sure, but in this case, the client is only tricking itself, at least in terms of getting "risky" output out of go-httpbin. The other downside is that the go-httpbin server might log the incorrect remote addr in its logs, but if that's a real concern operators can deploy a "hardened" go-httpbin instance that adds middleware to prevent it. It would probably be reasonable to add an option to control this, if anyone is interested in making the effort. It would also probably be reasonable to document this potential downside in the Production Considerations section of the README. |
The most recent hop is missing, i.e. the remoteaddr as seen by go-httpbin.
I'm thinking of a malicious or misconfigured load balancer where the wrong e.g. |
👍 ah yeah, you're right, my mistake. In this case, I'm back to thinking that we could add an additional endpoint here, but that it should be opt-in rather than opt-out.
Maybe I'm missing something, but the use case of deploying a go-httpbin on untrusted/malicious infrastructure is not something I'm particularly worried about; if it's a real concern, I'd be in favor of adding an option to control how exactly go-httpbin determines the "client address" (e.g. "use header |
I was hoping to use go-httpbin today to figure out what the ip of my load balancer actually comes through as, but it was masked by the cloudflare CDN the request went through
Could you return the
.RemoteAddr
field somewhere in the response?Code
go-httpbin/httpbin/helpers.go
Lines 44 to 66 in 00a70e7
The text was updated successfully, but these errors were encountered: