pingora icon indicating copy to clipboard operation
pingora copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Make the client IP accessible from a request_filter

Open LessThanGreaterThan opened this issue 11 months ago • 4 comments

What is the problem your feature solves, or the need it fulfills?

I would like to access the IP of a user connecting to a pingora proxy server to allow for further filtering/routing.

This could be used for rate limits or a "per user" upstream selection

Describe the solution you'd like

a function in the Session struct to give out the IP address

Describe alternatives you've considered

I don't see how i could implement a ip based rate limit without an IP on the application level, an alternative would be using nftables but that seems far from optimal.

Additional context

None

LessThanGreaterThan avatar Mar 03 '24 18:03 LessThanGreaterThan

It looks like the addr is just being dropped... pingora-core/src/protocols/l4/listener.rs or am I missing something?

impl Listener {
    /// Accept a connection from the listening endpoint
    pub async fn accept(&self) -> io::Result<Stream> {
        match &self {
            Self::Tcp(l) => l.accept().await.map(|(stream, _)| stream.into()),
            Self::Unix(l) => l.accept().await.map(|(stream, _)| stream.into()),
        }
    }
}

Please pass along the addr so we can rate limit, add it to forwarding headers, modify iptables, or what ever may be needed

BrandonLeeDotDev avatar Mar 06 '24 06:03 BrandonLeeDotDev

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

dward avatar Mar 06 '24 16:03 dward

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

this would be pretty helpful as it allows to generate JA3 fingerprints etc.

LessThanGreaterThan avatar Mar 06 '24 16:03 LessThanGreaterThan

We're also looking at this internally right now too!

Should additional metadata also be provided within Session, such as the server ip/port, and SSL metadata such as cipher, tls version, etc? I can create a new ticket with requests if needed.

Server IP/port can probably be bundled with this ask, I think additional metadata deserves its own tracking issue.

drcaramelsyrup avatar Mar 06 '24 20:03 drcaramelsyrup

client_addr() (and server_addr()) are now methods accessible from Session in 20fd391f3e78c9349149f11fae94da9e4657478e.

drcaramelsyrup avatar Mar 15 '24 21:03 drcaramelsyrup

This feature has released in v0.1.1, but the crate repo hasn't get this update, might need some manual operation https://crates.io/crates/pingora

leric avatar Apr 10 '24 09:04 leric