apisix/plugins/real-ip.lua - apisix - Git at Google

 --
 -- Licensed to the Apache Software Foundation (ASF) under one or more
 -- contributor license agreements.  See the NOTICE file distributed with
 -- this work for additional information regarding copyright ownership.
 -- The ASF licenses this file to You under the Apache License, Version 2.0
 -- (the "License"); you may not use this file except in compliance with
 -- the License.  You may obtain a copy of the License at
 --
 --     http://www.apache.org/licenses/LICENSE-2.0
 --
 -- Unless required by applicable law or agreed to in writing, software
 -- distributed under the License is distributed on an "AS IS" BASIS,
 -- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 -- See the License for the specific language governing permissions and
 -- limitations under the License.
 --
 local core = require("apisix.core")
 local is_apisix_or, client = pcall(require, "resty.apisix.client")
 local str_byte = string.byte
 local str_sub = string.sub
 local ipairs = ipairs
 local type = type


 local schema = {
     type = "object",
     properties = {
         trusted_addresses = {
             type = "array",
             items = {anyOf = core.schema.ip_def},
             minItems = 1
         },
         source = {
             type = "string",
             minLength = 1
         }
     },
     required = {"source"},
 }


 local plugin_name = "real-ip"


 local _M = {
     version = 0.1,
     priority = 23000,
     name = plugin_name,
     schema = schema,
 }


 function _M.check_schema(conf)
     local ok, err = core.schema.check(schema, conf)
     if not ok then
         return false, err
     end

     if conf.trusted_addresses then
         for _, cidr in ipairs(conf.trusted_addresses) do
             if not core.ip.validate_cidr_or_ip(cidr) then
                 return false, "invalid ip address: " .. cidr
             end
         end
     end
     return true
 end


 local function get_addr(conf, ctx)
     if conf.source == "http_x_forwarded_for" then
         -- use the last address from X-Forwarded-For header
         local addrs = core.request.header(ctx, "X-Forwarded-For")
         if not addrs then
             return nil
         end

         if type(addrs) == "table" then
             addrs = addrs[#addrs]
         end

         local idx = core.string.rfind_char(addrs, ",")
         if not idx then
             return addrs
         end

         for i = idx + 1, #addrs do
             if str_byte(addrs, i) == str_byte(" ") then
                 idx = idx + 1
             else
                 break
             end
         end

         return str_sub(addrs, idx + 1)
     end
     return ctx.var[conf.source]
 end


 function _M.rewrite(conf, ctx)
     if not is_apisix_or then
         core.log.error("need to build APISIX-OpenResty to support setting real ip")
         return 501
     end

     if conf.trusted_addresses then
         if not conf.matcher then
             conf.matcher = core.ip.create_ip_matcher(conf.trusted_addresses)
         end

         local remote_addr = ctx.var.remote_addr
         local trusted = conf.matcher:match(remote_addr)
         if not trusted then
             return
         end
     end

     local addr = get_addr(conf, ctx)
     if not addr then
         core.log.warn("missing real address")
         return
     end

     local ip, port = core.utils.parse_addr(addr)
     if not ip or (not core.utils.parse_ipv4(ip) and not core.utils.parse_ipv6(ip)) then
         core.log.warn("bad address: ", addr)
         return
     end

     if str_byte(ip, 1, 1) == str_byte("[") then
         -- For IPv6, the `set_real_ip` accepts '::1' but not '[::1]'
         ip = str_sub(ip, 2, #ip - 1)
     end

     if port ~= nil and (port < 1 or port > 65535) then
         core.log.warn("bad port: ", port)
         return
     end

     core.log.info("set real ip: ", ip, ", port: ", port)

     local ok, err = client.set_real_ip(ip, port)
     if not ok then
         core.log.error("failed to set real ip: ", err)
         return
     end

     -- flush cached vars in APISIX
     ctx.var.remote_addr = nil
     ctx.var.remote_port = nil
     ctx.var.realip_remote_addr = nil
     ctx.var.realip_remote_port = nil
 end


 return _M
	--
	-- Licensed to the Apache Software Foundation (ASF) under one or more
	-- contributor license agreements. See the NOTICE file distributed with
	-- this work for additional information regarding copyright ownership.
	-- The ASF licenses this file to You under the Apache License, Version 2.0
	-- (the "License"); you may not use this file except in compliance with
	-- the License. You may obtain a copy of the License at
	--
	-- http://www.apache.org/licenses/LICENSE-2.0
	--
	-- Unless required by applicable law or agreed to in writing, software
	-- distributed under the License is distributed on an "AS IS" BASIS,
	-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	-- See the License for the specific language governing permissions and
	-- limitations under the License.
	--
	local core = require("apisix.core")
	local is_apisix_or, client = pcall(require, "resty.apisix.client")
	local str_byte = string.byte
	local str_sub = string.sub
	local ipairs = ipairs
	local type = type


	local schema = {
	type = "object",
	properties = {
	trusted_addresses = {
	type = "array",
	items = {anyOf = core.schema.ip_def},
	minItems = 1
	},
	source = {
	type = "string",
	minLength = 1
	}
	},
	required = {"source"},
	}


	local plugin_name = "real-ip"


	local _M = {
	version = 0.1,
	priority = 23000,
	name = plugin_name,
	schema = schema,
	}


	function _M.check_schema(conf)
	local ok, err = core.schema.check(schema, conf)
	if not ok then
	return false, err
	end

	if conf.trusted_addresses then
	for _, cidr in ipairs(conf.trusted_addresses) do
	if not core.ip.validate_cidr_or_ip(cidr) then
	return false, "invalid ip address: " .. cidr
	end
	end
	end
	return true
	end


	local function get_addr(conf, ctx)
	if conf.source == "http_x_forwarded_for" then
	-- use the last address from X-Forwarded-For header
	local addrs = core.request.header(ctx, "X-Forwarded-For")
	if not addrs then
	return nil
	end

	if type(addrs) == "table" then
	addrs = addrs[#addrs]
	end

	local idx = core.string.rfind_char(addrs, ",")
	if not idx then
	return addrs
	end

	for i = idx + 1, #addrs do
	if str_byte(addrs, i) == str_byte(" ") then
	idx = idx + 1
	else
	break
	end
	end

	return str_sub(addrs, idx + 1)
	end
	return ctx.var[conf.source]
	end


	function _M.rewrite(conf, ctx)
	if not is_apisix_or then
	core.log.error("need to build APISIX-OpenResty to support setting real ip")
	return 501
	end

	if conf.trusted_addresses then
	if not conf.matcher then
	conf.matcher = core.ip.create_ip_matcher(conf.trusted_addresses)
	end

	local remote_addr = ctx.var.remote_addr
	local trusted = conf.matcher:match(remote_addr)
	if not trusted then
	return
	end
	end

	local addr = get_addr(conf, ctx)
	if not addr then
	core.log.warn("missing real address")
	return
	end

	local ip, port = core.utils.parse_addr(addr)
	if not ip or (not core.utils.parse_ipv4(ip) and not core.utils.parse_ipv6(ip)) then
	core.log.warn("bad address: ", addr)
	return
	end

	if str_byte(ip, 1, 1) == str_byte("[") then
	-- For IPv6, the `set_real_ip` accepts '::1' but not '[::1]'
	ip = str_sub(ip, 2, #ip - 1)
	end

	if port ~= nil and (port < 1 or port > 65535) then
	core.log.warn("bad port: ", port)
	return
	end

	core.log.info("set real ip: ", ip, ", port: ", port)

	local ok, err = client.set_real_ip(ip, port)
	if not ok then
	core.log.error("failed to set real ip: ", err)
	return
	end

	-- flush cached vars in APISIX
	ctx.var.remote_addr = nil
	ctx.var.remote_port = nil
	ctx.var.realip_remote_addr = nil
	ctx.var.realip_remote_port = nil
	end


	return _M