Look for client IP as the second-to-last entry in the IP list (#2380)

sethvargo · web-flow · commit c5fe960426d8 · 2022-11-01T20:15:33.000Z
Also add a debug log for when we fall back to rate limiting by IP address.
diff --git a/pkg/controller/middleware/firewall_test.go b/pkg/controller/middleware/firewall_test.go
@@ -97,7 +97,7 @@ func TestProcessFirewall(t *testing.T) {
 		{
 			name: "single_allowed_xff",
 			ctx: controller.WithRealm(ctx, &database.Realm{
-				AllowedCIDRsServer: []string{"1.2.3.4/32"},
+				AllowedCIDRsServer: []string{"5.6.7.8/32"},
 			}),
 			remoteAddr: "9.8.7.6",
 			xff:        "5.6.7.8, 1.2.3.4",
diff --git a/pkg/ratelimit/limitware/middleware.go b/pkg/ratelimit/limitware/middleware.go
@@ -194,10 +194,14 @@ func UserIDKeyFunc(ctx context.Context, scope string, hmacKey []byte) httplimit.
 
 // IPAddressKeyFunc uses the client IP to rate limit.
 func IPAddressKeyFunc(ctx context.Context, scope string, hmacKey []byte) httplimit.KeyFunc {
+	logger := logging.FromContext(ctx)
+
 	return func(r *http.Request) (string, error) {
 		// Get the remote addr
 		ip := realip.FromGoogleCloud(r)
 
+		logger.Debugw("falling back to rate limiting by ip address", "address", ip)
+
 		dig, err := digest.HMAC(ip, hmacKey)
 		if err != nil {
 			return "", fmt.Errorf("failed to digest ip: %w", err)
diff --git a/pkg/realip/realip.go b/pkg/realip/realip.go
@@ -41,7 +41,7 @@ func FromGoogleCloud(r *http.Request) string {
 	if xff != "" {
 		parts := strings.Split(xff, ",")
 		if len(parts) > 1 {
-			ip = parts[len(parts)-1]
+			ip = parts[len(parts)-2]
 		}
 	}
 
diff --git a/pkg/realip/realip_test.go b/pkg/realip/realip_test.go
@@ -51,18 +51,18 @@ func TestOnGoogleCloud(t *testing.T) {
 		{
 			name: "xff_multi",
 			xff:  "34.1.2.3,231.5.4.3,2.2.2.2",
-			exp:  "2.2.2.2",
+			exp:  "231.5.4.3",
 		},
 		{
 			name: "xff_multi_trim",
 			xff:  "     34.1.2.3,  231.5.4.3,2.2.2.2",
-			exp:  "2.2.2.2",
+			exp:  "231.5.4.3",
 		},
 		{
 			name:       "remote_addr_with_xff",
 			remoteAddr: "1.1.1.1",
 			xff:        "34.1.2.3,231.5.4.3,2.2.2.2",
-			exp:        "2.2.2.2",
+			exp:        "231.5.4.3",
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ func TestProcessFirewall(t *testing.T) {`
`97`	`97`	`{`
`98`	`98`	`name: "single_allowed_xff",`
`99`	`99`	`ctx: controller.WithRealm(ctx, &database.Realm{`
`100`		`- AllowedCIDRsServer: []string{"1.2.3.4/32"},`
	`100`	`+ AllowedCIDRsServer: []string{"5.6.7.8/32"},`
`101`	`101`	`}),`
`102`	`102`	`remoteAddr: "9.8.7.6",`
`103`	`103`	`xff: "5.6.7.8, 1.2.3.4",`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ func FromGoogleCloud(r *http.Request) string {`
`41`	`41`	`if xff != "" {`
`42`	`42`	`parts := strings.Split(xff, ",")`
`43`	`43`	`if len(parts) > 1 {`
`44`		`- ip = parts[len(parts)-1]`
	`44`	`+ ip = parts[len(parts)-2]`
`45`	`45`	`}`
`46`	`46`	`}`
`47`	`47`
Original file line number	Diff line number	Diff line change
`@@ -51,18 +51,18 @@ func TestOnGoogleCloud(t *testing.T) {`
`51`	`51`	`{`
`52`	`52`	`name: "xff_multi",`
`53`	`53`	`xff: "34.1.2.3,231.5.4.3,2.2.2.2",`
`54`		`- exp: "2.2.2.2",`
	`54`	`+ exp: "231.5.4.3",`
`55`	`55`	`},`
`56`	`56`	`{`
`57`	`57`	`name: "xff_multi_trim",`
`58`	`58`	`xff: " 34.1.2.3, 231.5.4.3,2.2.2.2",`
`59`		`- exp: "2.2.2.2",`
	`59`	`+ exp: "231.5.4.3",`
`60`	`60`	`},`
`61`	`61`	`{`
`62`	`62`	`name: "remote_addr_with_xff",`
`63`	`63`	`remoteAddr: "1.1.1.1",`
`64`	`64`	`xff: "34.1.2.3,231.5.4.3,2.2.2.2",`
`65`		`- exp: "2.2.2.2",`
	`65`	`+ exp: "231.5.4.3",`
`66`	`66`	`},`
`67`	`67`	`}`
`68`	`68`