1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
package api
import (
"context"
"net"
"net/http"
"strings"
)
// contextKey for real IP.
type contextKey string
const ctxRealIP contextKey = "real_ip"
// RealIP middleware extracts the client's real public IP.
// Priority: X-Forwarded-For (from Traefik) > X-Real-IP > RemoteAddr.
func RealIP(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
ip := extractRealIP(r)
if ip != "" {
r = r.WithContext(context.WithValue(r.Context(), ctxRealIP, ip))
}
next(w, r)
}
}
// GetRealIP returns the client IP from context.
func GetRealIP(r *http.Request) string {
if ip, ok := r.Context().Value(ctxRealIP).(string); ok {
return ip
}
return ""
}
func extractRealIP(r *http.Request) string {
// 1. X-Forwarded-For (Traefik, nginx, etc.)
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
// Can contain multiple IPs: client, proxy1, proxy2
// First one is the original client
parts := strings.Split(xff, ",")
if len(parts) > 0 {
ip := strings.TrimSpace(parts[0])
if isValidIP(ip) {
return ip
}
}
}
// 2. X-Real-IP (some proxies use this)
if xri := r.Header.Get("X-Real-IP"); xri != "" {
ip := strings.TrimSpace(xri)
if isValidIP(ip) {
return ip
}
}
// 3. RemoteAddr fallback (direct connection)
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil && isValidIP(host) {
return host
}
return ""
}
func isValidIP(ip string) bool {
// Accept both IPv4 and IPv6
parsed := net.ParseIP(ip)
return parsed != nil
}
|
