hono icon indicating copy to clipboard operation
hono copied to clipboard
verified publisher icon honojs

How to get request's remote client IP in Node.js?

Open movahhedi opened this issue 1 year ago • 10 comments

What is the feature you are proposing?

How can i get the IP of the remote client?

I've seen https://hono.dev/docs/helpers/conninfo but there isn't anything for Node.js.

In Koa, its ctx.request.ip. code

May be useful:

  • https://www.npmjs.com/package/request-ip

movahhedi avatar Jun 19 '24 06:06 movahhedi

hi @movahhedi It depends on which deployment service you use.

EdamAme-x avatar Jun 19 '24 06:06 EdamAme-x

Hello @EdamAme-x

Node.js, PM2, nginx/Apache.

movahhedi avatar Jun 19 '24 06:06 movahhedi

Hi @movahhedi, You can pass the IP address as a header using nginx and a reverse proxy see here where this issue was discussed more

NicoPlyley avatar Jun 19 '24 06:06 NicoPlyley

Isn't this feature good enough to be included in Hono [for Node]? Since it's there in Koa, It should be technically possible.

movahhedi avatar Jun 19 '24 07:06 movahhedi

I don't think Node.js by itself is often used to build servers, what do you think? I think most would use a reverse proxy or a deployment service.

implement in Koa https://github.com/koajs/koa/blob/b89e19a27509c96d27af722f9951e0d72cb41eb5/lib/request.js#L455

EdamAme-x avatar Jun 19 '24 07:06 EdamAme-x

If you implement it, you can add it to the getConninfo helper.

EdamAme-x avatar Jun 19 '24 07:06 EdamAme-x

Hi @movahhedi, ConnInfo helper for Node.js has been released.

import { getConnInfo } from '@hono/node-server/conninfo'

nakasyou avatar Jul 07 '24 00:07 nakasyou

getConnInfo doesn't seem super useful, koa's ctx.ip also resolves X-Forwarded-For which is most likely what you're looking for in a production system.

KaelWD avatar Jul 07 '24 16:07 KaelWD

Indeed, though I'm not sure it's within the scope of ConnInfo Helper, I might need to support X-Forwarded-For.

yusukebe avatar Jul 08 '24 00:07 yusukebe

@movahhedi I think this is what you might be looking for: https://hono.dev/docs/getting-started/nodejs#access-the-raw-node-js-apis

Update: Just used this for IP address while listing and it works:

import { type HttpBindings } from '@hono/node-server'; // import bindings

const app = new Hono<{ Bindings: HttpBindings }>(); // create hono instance with bindings

app.post('/endpoint', async (c) => {
                const remoteAddress = c.env.incoming.socket.remoteAddress;
		const blocked = remoteAddress === undefined ? true : !ipWhiteList.includes(remoteAddress);
                // custom logic to handle when blocked to not
}

nigelnindodev avatar Jul 13 '24 07:07 nigelnindodev

I agree @KaelWD that having X-Forwarded-For resolved would make it more useful for those using nodeJS for their server? If @yusukebe agrees with that, I would be happy to sponsor/bounty this work if anyone is interested!

flipvh avatar Dec 03 '24 09:12 flipvh

@flipvh

Thank you for the comment. Regarding this issue, I'd like to know the opinions of the young developers. What do you think of this X-Forwarded-For matter? @nakasyou @EdamAme-x

yusukebe avatar Dec 03 '24 10:12 yusukebe

If we use X-Forwarded-For to get IP address by default, the attack like this is able to cause.

await fetch('https://example.com/', {
  'X-Forwarded-For': '1.1.1.1'
})

nakasyou avatar Dec 03 '24 11:12 nakasyou

The following is a good example of why X-Forwarded-For is relevant:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomIPAddresses

It is important to note per @nakasyou comment that clients can set this header as part of their fetch request and naive code might be tricked. That said services like CloudFront have explicitly defined behaviours of how they handle this case and the actual client's request IP can still be determined (refer to the docs link).

Ultimately I don't think its hono's responsibility to address knowledge/skill issues regarding the use of any particular header or how infrastructure can play a role in modifying requests; what's relevant is that there are valid reasons for hono developers to be able to read any headers of any request including X-Forwarded-For.

X-Forwarded-For can be important when something such as an nginx reverse proxy, CDN like CloudFront, etc. is in front of the hono API and will set it and the developer needs to read it.

In these cases, the "conninfo" IP could be something irrelevant and useless like the internal network IP of a load balancer.

In various infrastructure/deployment scenarios a different custom header might be used to pass along the client's original request IP so it doesn't make sense to restrict to certain hard-coded headers.

Example use-cases where a developer may need this value are throttling / rate limiting and analytics.

firxworx avatar Dec 04 '24 02:12 firxworx

Thanks @firxworx, makes sense. This leaves us with only a docs suggestion: perhaps mentioning the possibility of a custom GetIPAddr function could get more attention. But that is very much a nice-to-have I guess :D. We will write our own function for this.

flipvh avatar Dec 05 '24 16:12 flipvh

Here's my library get-user-ip for getting IP addresses, which can be customized by specifying the second argument

Maybe this is a good option, or encapsulated as a middleware?

lete114 avatar Jul 21 '25 09:07 lete114

what's the "hono way" of doing this?

maelp avatar Aug 02 '25 16:08 maelp