From 99fca5e337f0d520884f523982c032f58e8b9c04 Mon Sep 17 00:00:00 2001 From: starsz Date: Tue, 27 Apr 2021 23:03:47 +0800 Subject: [PATCH 1/2] fix: use remote_addr instead of client ip --- api/internal/filter/ip_filter.go | 6 +++++- api/internal/filter/ip_filter_test.go | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/api/internal/filter/ip_filter.go b/api/internal/filter/ip_filter.go index de62cf5688..2d07dea552 100644 --- a/api/internal/filter/ip_filter.go +++ b/api/internal/filter/ip_filter.go @@ -19,6 +19,7 @@ package filter import ( "net" "net/http" + "strings" "github.com/gin-gonic/gin" @@ -81,7 +82,10 @@ func checkIP(ipStr string, ips map[string]bool, subnets []*subnet) bool { func IPFilter() gin.HandlerFunc { ips, subnets := generateIPSet(conf.AllowList) return func(c *gin.Context) { - ipStr := c.ClientIP() + var ipStr string + if ip, _, err := net.SplitHostPort(strings.TrimSpace(c.Request.RemoteAddr)); err == nil { + ipStr = ip + } if len(conf.AllowList) < 1 { c.Next() diff --git a/api/internal/filter/ip_filter_test.go b/api/internal/filter/ip_filter_test.go index f9de0482b1..608e68c7b5 100644 --- a/api/internal/filter/ip_filter_test.go +++ b/api/internal/filter/ip_filter_test.go @@ -17,6 +17,7 @@ package filter import ( + "net/http/httptest" "testing" "github.com/gin-gonic/gin" @@ -55,4 +56,22 @@ func TestIPFilter_Handle(t *testing.T) { }) w = performRequest(r, "GET", "/test") assert.Equal(t, 200, w.Code) + + // should forbidden + conf.AllowList = []string{"8.8.8.8"} + r = gin.New() + r.Use(IPFilter()) + r.GET("/test", func(c *gin.Context) {}) + + req := httptest.NewRequest("GET", "/test", nil) + req.Header.Set("X-Forwarded-For", "8.8.8.8") + w = httptest.NewRecorder() + r.ServeHTTP(w, req) + assert.Equal(t, 403, w.Code) + + req = httptest.NewRequest("GET", "/test", nil) + req.Header.Set("X-Real-Ip", "8.8.8.8") + w = httptest.NewRecorder() + r.ServeHTTP(w, req) + assert.Equal(t, 403, w.Code) } From 2e72edbd6409d5e5f26fe82ecfca2917e9c649ef Mon Sep 17 00:00:00 2001 From: starsz Date: Thu, 29 Apr 2021 09:29:06 +0800 Subject: [PATCH 2/2] update: test ip --- api/internal/filter/ip_filter_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/internal/filter/ip_filter_test.go b/api/internal/filter/ip_filter_test.go index 608e68c7b5..dad4da6871 100644 --- a/api/internal/filter/ip_filter_test.go +++ b/api/internal/filter/ip_filter_test.go @@ -58,19 +58,19 @@ func TestIPFilter_Handle(t *testing.T) { assert.Equal(t, 200, w.Code) // should forbidden - conf.AllowList = []string{"8.8.8.8"} + conf.AllowList = []string{"127.0.0.1"} r = gin.New() r.Use(IPFilter()) r.GET("/test", func(c *gin.Context) {}) req := httptest.NewRequest("GET", "/test", nil) - req.Header.Set("X-Forwarded-For", "8.8.8.8") + req.Header.Set("X-Forwarded-For", "127.0.0.1") w = httptest.NewRecorder() r.ServeHTTP(w, req) assert.Equal(t, 403, w.Code) req = httptest.NewRequest("GET", "/test", nil) - req.Header.Set("X-Real-Ip", "8.8.8.8") + req.Header.Set("X-Real-Ip", "127.0.0.1") w = httptest.NewRecorder() r.ServeHTTP(w, req) assert.Equal(t, 403, w.Code)