Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can we initialise trustedCIDRs if using TLS or the manual graceful shutdown approach? #2904

Open
MichaelBurgess opened this issue Oct 18, 2021 · 3 comments
Open

How can we initialise trustedCIDRs if using TLS or the manual graceful shutdown approach? #2904

MichaelBurgess opened this issue Oct 18, 2021 · 3 comments

Comments

@MichaelBurgess
Copy link

MichaelBurgess commented Oct 18, 2021
edited

Description

If we use the .Run() function to launch the server, that function initialises trusted CIDRs:

func (engine *Engine) Run(addr ...string) (err error) {
	defer func() { debugPrintError(err) }()

	trustedCIDRs, err := engine.prepareTrustedCIDRs()
	if err != nil {
		return err
	}
	engine.trustedCIDRs = trustedCIDRs
	address := resolveAddress(addr)
	debugPrint("Listening and serving HTTP on %s\n", address)
	err = http.ListenAndServe(address, engine)
	return
}

However, the RunTLS or manual graceful shutdown approaches don't do this:

func (engine *Engine) RunTLS(addr, certFile, keyFile string) (err error) {
	debugPrint("Listening and serving HTTPS on %s\n", addr)
	defer func() { debugPrintError(err) }()

	err = http.ListenAndServeTLS(addr, certFile, keyFile, engine)
	return
}

FYI we are using the manual graceful shutdown approach.

As a result of not calling prepareTrustedCIDRs, the ClientIP function will never trust the X-Forwarded-For or X-Real-IP headers. We are running in a Kube env and all of our requests are coming from an internal proxy IP, so we need to be able to get at the real client IP.

How can we initialise trustedCIDRs if not using the Run() approach. It's internal to engine and during the RemoteIP() check will always be nil: if c.engine.trustedCIDRs != nil {

How to reproduce

Follow the manual approach here and then c.ClientIP() will never trust the IP that forwards proxy requests.

Expectations

c.ClientIP() returns the IP in X-Forwarded-For or X-Real-IP.

Actual result

c.ClientIP() returns the internal IP of the proxy e.g. 192.168.10.20.

Environment

  • go version: 1.17
  • gin version (or commit ref): 1.7.4
  • operating system: Debian Buster
@MichaelBurgess MichaelBurgess changed the title How can we initialise trustedCIDRs if using TLS or the manual graceful shutdown approach How can we initialise trustedCIDRs if using TLS or the manual graceful shutdown approach? Oct 18, 2021
@Bisstocuz
Copy link
Contributor

Hi, this issue has been resolved in #2887 , I believe it will be available in version 1.7.5.

@MichaelBurgess
Copy link
Author

Hi, this issue has been resolved in #2887 , I believe it will be available in version 1.7.5.

Thanks @Bisstocuz - any ideas when 1.7.5 will be released? Need to work out if I can wait, or implement my own logic in the meanwhile.

@Bisstocuz
Copy link
Contributor

Hi, this issue has been resolved in #2887 , I believe it will be available in version 1.7.5.

Thanks @Bisstocuz - any ideas when 1.7.5 will be released? Need to work out if I can wait, or implement my own logic in the meanwhile.

About when 1.7.5 will be released, it needs maintainer @appleboy 's answer.
At this point, I recommend you to use proxy server Nginx and Engine.Run() instead temporarily.

@jholdstock jholdstock mentioned this issue Oct 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MichaelBurgess @Bisstocuz