You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When having a reverse proxy-based setup request.info.remoteAddress should not be used as it always holds the proxy's IP and not the real client IP. This means that the request rate limiting is actually enforced against the proxy and not the individual clients.
In order to fix this, we need to look at the x-forwarded-for HTTP header (if it exists) and take the real client's IP address from it.
There is a hapijs issue which talks about the same problem: hapijs/hapi#1210
They actually propose a function which will extract the client IP address from the x-forwarded-for headed if it exists. We might use it:
/**
* extract the final client ip address. can not use request.info.remoteAddress directly because client may be behind a proxy/loadbalancer
* @param request
*/
export function extractClientIp(request: hapi.Request) {
//from http://stackoverflow.com/questions/29496257/knowing-request-ip-in-hapi-js-restful-api
var xFF = request.headers['x-forwarded-for'];
var ip = xFF ? xFF.split(',')[0] : request.info.remoteAddress;
return ip;
}
The text was updated successfully, but these errors were encountered:
When having a reverse proxy-based setup
request.info.remoteAddress
should not be used as it always holds the proxy's IP and not the real client IP. This means that the request rate limiting is actually enforced against the proxy and not the individual clients.In order to fix this, we need to look at the x-forwarded-for HTTP header (if it exists) and take the real client's IP address from it.
There is a hapijs issue which talks about the same problem: hapijs/hapi#1210
They actually propose a function which will extract the client IP address from the x-forwarded-for headed if it exists. We might use it:
The text was updated successfully, but these errors were encountered: