traefik/pkg/ip/strategy.go

package ip

import (
	"net"
	"net/http"
	"net/netip"
	"strings"
)

const (
	xForwardedFor = "X-Forwarded-For"
)

// Strategy a strategy for IP selection.
type Strategy interface {
	GetIP(req *http.Request) string
}

// RemoteAddrStrategy a strategy that always return the remote address.
type RemoteAddrStrategy struct {
	// IPv6Subnet instructs the strategy to return the first IP of the subnet where IP belongs.
	IPv6Subnet *int
}

// GetIP returns the selected IP.
func (s *RemoteAddrStrategy) GetIP(req *http.Request) string {
	ip, _, err := net.SplitHostPort(req.RemoteAddr)
	if err != nil {
		return req.RemoteAddr
	}

	if s.IPv6Subnet != nil {
		return getIPv6SubnetIP(ip, *s.IPv6Subnet)
	}

	return ip
}

// DepthStrategy a strategy based on the depth inside the X-Forwarded-For from right to left.
type DepthStrategy struct {
	Depth int
	// IPv6Subnet instructs the strategy to return the first IP of the subnet where IP belongs.
	IPv6Subnet *int
}

// GetIP returns the selected IP.
func (s *DepthStrategy) GetIP(req *http.Request) string {
	xff := req.Header.Get(xForwardedFor)
	xffs := strings.Split(xff, ",")

	if len(xffs) < s.Depth {
		return ""
	}

	ip := strings.TrimSpace(xffs[len(xffs)-s.Depth])

	if s.IPv6Subnet != nil {
		return getIPv6SubnetIP(ip, *s.IPv6Subnet)
	}

	return ip
}

// PoolStrategy is a strategy based on an IP Checker.
// It allows to check whether addresses are in a given pool of IPs.
type PoolStrategy struct {
	Checker *Checker
}

// GetIP checks the list of Forwarded IPs (most recent first) against the
// Checker pool of IPs. It returns the first IP that is not in the pool, or the
// empty string otherwise.
func (s *PoolStrategy) GetIP(req *http.Request) string {
	if s.Checker == nil {
		return ""
	}

	xff := req.Header.Get(xForwardedFor)
	xffs := strings.Split(xff, ",")

	for i := len(xffs) - 1; i >= 0; i-- {
		xffTrimmed := strings.TrimSpace(xffs[i])
		if len(xffTrimmed) == 0 {
			continue
		}
		if contain, _ := s.Checker.Contains(xffTrimmed); !contain {
			return xffTrimmed
		}
	}

	return ""
}

// getIPv6SubnetIP returns the IPv6 subnet IP.
// It returns the original IP when it is not an IPv6, or if parsing the IP has failed with an error.
func getIPv6SubnetIP(ip string, ipv6Subnet int) string {
	addr, err := netip.ParseAddr(ip)
	if err != nil {
		return ip
	}

	if !addr.Is6() {
		return ip
	}

	prefix, err := addr.Prefix(ipv6Subnet)
	if err != nil {
		return ip
	}

	return prefix.Addr().String()
}
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`package ip`

			`import (`
Add rate limiter, rename maxConn into inFlightReq Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2019-08-26 13:20:06 +03:00			`"net"`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`"net/http"`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00			`"net/netip"`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`"strings"`
			`)`

			`const (`
			`xForwardedFor = "X-Forwarded-For"`
			`)`

Update linter 2020-05-11 13:06:07 +03:00			`// Strategy a strategy for IP selection.`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`type Strategy interface {`
			`GetIP(req *http.Request) string`
			`}`

Update linter 2020-05-11 13:06:07 +03:00			`// RemoteAddrStrategy a strategy that always return the remote address.`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00			`type RemoteAddrStrategy struct {`
			`// IPv6Subnet instructs the strategy to return the first IP of the subnet where IP belongs.`
			`IPv6Subnet *int`
			`}`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00
Update linter 2020-05-11 13:06:07 +03:00			`// GetIP returns the selected IP.`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`func (s RemoteAddrStrategy) GetIP(req http.Request) string {`
Add rate limiter, rename maxConn into inFlightReq Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2019-08-26 13:20:06 +03:00			`ip, _, err := net.SplitHostPort(req.RemoteAddr)`
			`if err != nil {`
			`return req.RemoteAddr`
			`}`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00
			`if s.IPv6Subnet != nil {`
			`return getIPv6SubnetIP(ip, *s.IPv6Subnet)`
			`}`

Add rate limiter, rename maxConn into inFlightReq Co-authored-by: Julien Salleyron <julien.salleyron@gmail.com> Co-authored-by: Jean-Baptiste Doumenjou <jb.doumenjou@gmail.com> 2019-08-26 13:20:06 +03:00			`return ip`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`}`

Update linter 2020-05-11 13:06:07 +03:00			`// DepthStrategy a strategy based on the depth inside the X-Forwarded-For from right to left.`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`type DepthStrategy struct {`
			`Depth int`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00			`// IPv6Subnet instructs the strategy to return the first IP of the subnet where IP belongs.`
			`IPv6Subnet *int`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`}`

Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00			`// GetIP returns the selected IP.`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`func (s DepthStrategy) GetIP(req http.Request) string {`
			`xff := req.Header.Get(xForwardedFor)`
			`xffs := strings.Split(xff, ",")`

			`if len(xffs) < s.Depth {`
			`return ""`
			`}`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00
			`ip := strings.TrimSpace(xffs[len(xffs)-s.Depth])`

			`if s.IPv6Subnet != nil {`
			`return getIPv6SubnetIP(ip, *s.IPv6Subnet)`
			`}`

			`return ip`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`}`

doc: clarify usage for ratelimit's excludedIPs 2021-06-07 18:46:14 +03:00			`// PoolStrategy is a strategy based on an IP Checker.`
			`// It allows to check whether addresses are in a given pool of IPs.`
			`type PoolStrategy struct {`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`Checker *Checker`
			`}`

doc: clarify usage for ratelimit's excludedIPs 2021-06-07 18:46:14 +03:00			`// GetIP checks the list of Forwarded IPs (most recent first) against the`
			`// Checker pool of IPs. It returns the first IP that is not in the pool, or the`
			`// empty string otherwise.`
			`func (s PoolStrategy) GetIP(req http.Request) string {`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`if s.Checker == nil {`
			`return ""`
			`}`

			`xff := req.Header.Get(xForwardedFor)`
			`xffs := strings.Split(xff, ",")`

			`for i := len(xffs) - 1; i >= 0; i-- {`
Merge branch 'v1.7.2' into master 2018-10-05 13:43:17 +03:00			`xffTrimmed := strings.TrimSpace(xffs[i])`
doc: clarify usage for ratelimit's excludedIPs 2021-06-07 18:46:14 +03:00			`if len(xffTrimmed) == 0 {`
			`continue`
			`}`
Merge branch 'v1.7.2' into master 2018-10-05 13:43:17 +03:00			`if contain, _ := s.Checker.Contains(xffTrimmed); !contain {`
			`return xffTrimmed`
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`}`
			`}`
doc: clarify usage for ratelimit's excludedIPs 2021-06-07 18:46:14 +03:00
IPStrategy for selecting IP in whitelist 2018-08-24 17:20:03 +03:00			`return ""`
			`}`
Add support for ipv6 subnet in ipStrategy 2024-09-24 19:04:05 +03:00
			`// getIPv6SubnetIP returns the IPv6 subnet IP.`
			`// It returns the original IP when it is not an IPv6, or if parsing the IP has failed with an error.`
			`func getIPv6SubnetIP(ip string, ipv6Subnet int) string {`
			`addr, err := netip.ParseAddr(ip)`
			`if err != nil {`
			`return ip`
			`}`

			`if !addr.Is6() {`
			`return ip`
			`}`

			`prefix, err := addr.Prefix(ipv6Subnet)`
			`if err != nil {`
			`return ip`
			`}`

			`return prefix.Addr().String()`
			`}`