xff

package

v0.10.2 Latest Latest Go to latest Published: Apr 19, 2026 License: BSD-3-Clause-Clear Imports: 5 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

gitea.develooper.com/ntp/common

Links

Open Source Insights

Documentation ¶

Overview ¶

Package xff provides trusted proxy handling and real client IP extraction from X-Forwarded-For headers.

This package has no external dependencies — it uses only the Go standard library.

The XFF extraction algorithm walks right-to-left through the X-Forwarded-For header, skipping trusted proxy IPs, and returns the first untrusted IP as the real client address. This follows the MDN-recommended approach for secure client IP extraction.

Usage with net/http middleware ¶

tp, err := xff.NewFromCIDRs([]string{"10.0.0.0/8", "192.168.0.0/16"})
if err != nil {
	return err
}
handler := tp.HTTPMiddleware()(yourHandler)

Direct extraction ¶

realIP := tp.ExtractRealIP(r)

Index ¶

func GetRealIP(r *http.Request) string
type TrustedProxies
- func New(prefixes ...netip.Prefix) *TrustedProxies
- func NewFromCIDRs(cidrs []string) (*TrustedProxies, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetRealIP ¶

func GetRealIP(r *http.Request) string

GetRealIP retrieves the real client IP from the request context. Returns the remote address host if no real IP was extracted by middleware.

Types ¶

type TrustedProxies ¶

type TrustedProxies struct {
	// contains filtered or unexported fields
}

TrustedProxies holds a set of trusted proxy network prefixes and provides methods for extracting the real client IP from X-Forwarded-For headers.

func New ¶

func New(prefixes ...netip.Prefix) *TrustedProxies

New creates a TrustedProxies from already-parsed prefixes.

func NewFromCIDRs ¶

func NewFromCIDRs(cidrs []string) (*TrustedProxies, error)

NewFromCIDRs creates a TrustedProxies from CIDR strings (e.g., "10.0.0.0/8").

func (*TrustedProxies) AddCIDR ¶

func (tp *TrustedProxies) AddCIDR(cidr string) error

AddCIDR adds a CIDR string to the trusted proxy list.

func (*TrustedProxies) AddPrefix ¶

func (tp *TrustedProxies) AddPrefix(prefix netip.Prefix)

AddPrefix adds a parsed prefix to the trusted proxy list.

func (*TrustedProxies) ExtractRealIP ¶

func (tp *TrustedProxies) ExtractRealIP(r *http.Request) string

ExtractRealIP extracts the real client IP from a request by walking the X-Forwarded-For header right-to-left, skipping trusted proxy IPs. If the immediate peer is not a trusted proxy, its IP is returned.

func (*TrustedProxies) HTTPMiddleware ¶

func (tp *TrustedProxies) HTTPMiddleware() func(http.Handler) http.Handler

HTTPMiddleware returns a net/http middleware that extracts the real client IP from X-Forwarded-For headers and stores it in the request context and RemoteAddr. The port in RemoteAddr is set to 0 because the original port belongs to the proxy connection, not the real client.

func (*TrustedProxies) IsTrusted ¶

func (tp *TrustedProxies) IsTrusted(ip string) bool

IsTrusted reports whether ip belongs to any of the trusted proxy ranges.

func (*TrustedProxies) Prefixes ¶

func (tp *TrustedProxies) Prefixes() []netip.Prefix

Prefixes returns a copy of the trusted proxy prefixes.

Source Files ¶

View all Source files

xff.go

Directories ¶

Path	Synopsis
echo Package xffecho adapts xff.TrustedProxies for use with the Echo web framework's X-Forwarded-For IP extraction.	Package xffecho adapts xff.TrustedProxies for use with the Echo web framework's X-Forwarded-For IP extraction.
fastlyxff Package fastlyxff loads Fastly CDN IP ranges and returns a generic xff.TrustedProxies for trusted proxy handling.	Package fastlyxff loads Fastly CDN IP ranges and returns a generic xff.TrustedProxies for trusted proxy handling.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL