Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

request.remoteAddress should not be used behind proxies #24

Open
bf opened this issue Aug 3, 2016 · 1 comment
Open

request.remoteAddress should not be used behind proxies #24

bf opened this issue Aug 3, 2016 · 1 comment
Labels

Comments

@bf
Copy link

bf commented Aug 3, 2016

When having a reverse proxy-based setup request.info.remoteAddress should not be used as it always holds the proxy's IP and not the real client IP. This means that the request rate limiting is actually enforced against the proxy and not the individual clients.

In order to fix this, we need to look at the x-forwarded-for HTTP header (if it exists) and take the real client's IP address from it.

There is a hapijs issue which talks about the same problem: hapijs/hapi#1210

They actually propose a function which will extract the client IP address from the x-forwarded-for headed if it exists. We might use it:

/**
 *  extract the final client ip address.   can not use request.info.remoteAddress directly because client may be behind a proxy/loadbalancer
 * @param request
 */
export function extractClientIp(request: hapi.Request) {
    //from http://stackoverflow.com/questions/29496257/knowing-request-ip-in-hapi-js-restful-api
    var xFF = request.headers['x-forwarded-for'];
    var ip = xFF ? xFF.split(',')[0] : request.info.remoteAddress;
    return ip;
}
@bf
Copy link
Author

bf commented Aug 3, 2016

I have created a pull request

#25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants