From 8be3c819f145cb16b8711931205b0504ce50b29e Mon Sep 17 00:00:00 2001 From: Thomas LE ROUX Date: Sat, 5 Mar 2022 14:59:23 +0100 Subject: [PATCH] fix(security): Add WithClientIPHeader function to create new Option --- README.md | 2 +- options.go | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 209669a..2b1e46b 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,7 @@ store := memory.NewStore() instance := limiter.New(store, rate) // Alternatively, you can pass options to the limiter instance with several options. -instance := limiter.New(store, rate, limiter.WithTrustForwardHeader(true), limiter.WithIPv6Mask(mask)) +instance := limiter.New(store, rate, limiter.WithClientIPHeader("True-Client-IP"), limiter.WithIPv6Mask(mask)) // Finally, give the limiter instance to your middleware initializer. import "github.com/ulule/limiter/v3/drivers/middleware/stdlib" diff --git a/options.go b/options.go index 5cc0a0a..d8a44ea 100644 --- a/options.go +++ b/options.go @@ -41,8 +41,21 @@ func WithIPv6Mask(mask net.IPMask) Option { } // WithTrustForwardHeader will configure the limiter to trust X-Real-IP and X-Forwarded-For headers. +// Please be advised that using this option could be insecure (ie: spoofed) if your reverse +// proxy is not configured properly to forward a trustworthy client IP. +// Please read the section "Limiter behind a reverse proxy" in the README for further information. func WithTrustForwardHeader(enable bool) Option { return func(o *Options) { o.TrustForwardHeader = enable } } + +// WithClientIPHeader will configure the limiter to use a custom header to obtain user IP. +// Please be advised that using this option could be insecure (ie: spoofed) if your reverse +// proxy is not configured properly to forward a trustworthy client IP. +// Please read the section "Limiter behind a reverse proxy" in the README for further information. +func WithClientIPHeader(header string) Option { + return func(o *Options) { + o.ClientIPHeader = header + } +}