Skip to content

Go package for securely extracting HTTP client's real public IP

License

Notifications You must be signed in to change notification settings

AppsFlyer/srealip

Repository files navigation

srealip (Secure Real IP)

Actions Status Godocs

Go package for securely extracting HTTP client's real public IP for rate limit, IP limit or logging on HTTP Server.

(Update - see this Blog by Adam Pritchard for comprehensive analysis of HTTP headers and security)

The library provides two methods for extracting the IP address from HTTP Request:

  • SecureRealIP - returns the trusted non-private real IP address from input request. This IP can be trusted only if your HTTP server is behind a reverse proxy such as AWS ELB/ALB, Azure Front Door or Google Load Balancer. It can be used for security use cases (Rate Limit, IP Limit, etc..).

  • NaiveRealIP - returns the most real non-private IP address ("closest to client") from input request. This IP can be spoofed by malicious sender, so avoid using it for security purposes (only for logging or troubleshooting).

Example

package main

import (
	"fmt"
	"net/http"

	"github.com/AppsFlyer/srealip"
)

func Handle(r *http.Request) {
	naiveIP := srealip.NaiveRealIP(r)

	fmt.Printf("Client's IP for logging / troubleshooting: %s\n", naiveIP)

	secureIP := srealip.SecureRealIP(r)
	fmt.Printf("Client's IP for rate / ip limit: %s\n", secureIP)
}