request-ip icon indicating copy to clipboard operation
request-ip copied to clipboard

Published 20 hours ago verified publisher icon pbojinov

Filter internal IP addresses from X-Forwarded-For header

Open floatdrop opened this issue 7 years ago • 14 comments

Internal ip's (like 192.168.0.1) is not useful in any way for server, so we often filter internal networks from headers.

floatdrop avatar Mar 15 '17 10:03 floatdrop

What if we exposed a flag that you can set, lets say ignoreInteral or ignoreLocal and if its true, then we return null when it's a internal ip such as 192.168.0.1.

Also thoughts on getting a cohesive list of internal ips?

pbojinov avatar Mar 15 '17 16:03 pbojinov

@pbojinov yeah, sounds nice. We used netmask for a while, until IPv6 came into play. I think ip is good candidate for this task.

floatdrop avatar Mar 15 '17 16:03 floatdrop

@floatdrop in this case, will using ip.isPrivate('127.0.0.1') // true from ip work out ok?

Do you have any example headers we can use for the tests? Want to make sure we're using real live data to cover these test cases.

pbojinov avatar Mar 15 '17 17:03 pbojinov

What about thoughts on naming for the flag: ignorePrivate, ignoreLocal, ignoreInternal?

pbojinov avatar Mar 15 '17 17:03 pbojinov

@pbojinov we have only tests for filtering ipv4 adresses (all of them from private networks), but no actual headers.

What about thoughts on naming for the flag: ignorePrivate, ignoreLocal, ignoreInternal?

I think ignorePrivate is good choice, because of ip.isPrivate method.

floatdrop avatar Mar 15 '17 17:03 floatdrop

Sounds good, I'll add this in. Thanks!

pbojinov avatar Mar 15 '17 17:03 pbojinov

There's an existing dependency on is.js, maybe add it upstream?

fluxsauce avatar Mar 21 '17 17:03 fluxsauce

@fluxsauce the dependency is in the package.json. Am I missing something else?

  "dependencies": {
    "is_js": "^0.9.0"
  }

It should install from npm. I'm seeing this when I run a fresh install:

> npm install request-ip
[email protected] /Users/petar/test
└─┬ [email protected]
  └── [email protected]

pbojinov avatar Mar 21 '17 18:03 pbojinov

@pbojinov I meant add is.ipPrivate to is.js first, as it could be useful in some other places.

fluxsauce avatar Mar 21 '17 19:03 fluxsauce

Any update on this?

Redmega avatar Apr 22 '17 15:04 Redmega

@Redmega yes it's in progress. I'll have something out soon.

pbojinov avatar Apr 25 '17 23:04 pbojinov

Awesome to hear. I'm doing a geoip check on an aws box and its grabbing the IP of the box itself. It's hard to tell without intense console logging if its due to incorrectly set headers or the request-ip package itself. It isn't a high priority issue for us so I've left it alone for now, looking forward to the release 👍

Redmega avatar Apr 26 '17 17:04 Redmega

then we return null when it's a internal ip such as 192.168.0.1

Probably a better way is to return the first not private ip from x-forwarded-for header instead of null eg. 195.189.143.147 for X-Forwarded-For: 127.0.0.1, 192.168.0.100, 195.189.143.147, 130.236.236.80

maximium avatar Mar 11 '19 20:03 maximium

what's the status on this?

evdama avatar Oct 03 '19 11:10 evdama