-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathip.go
128 lines (117 loc) · 4.24 KB
/
ip.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
// credits https://husobee.github.io/golang/ip-address/2015/12/17/remote-ip-go.html
package firewall
import (
"bytes"
"net"
"net/http"
"regexp"
"strings"
)
const ipv6regex = `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}))`
// ipRange - a structure that holds the start and end of a range of ip addresses
type ipRange struct {
start net.IP
end net.IP
}
// inRange - check to see if a given ip address is within a range given
func inRange(r ipRange, ipAddress net.IP) bool {
// strcmp type byte comparison
if bytes.Compare(ipAddress, r.start) >= 0 && bytes.Compare(ipAddress, r.end) < 0 {
return true
}
return false
}
// refer https://datatracker.ietf.org/doc/html/rfc1918#section-3
var privateRanges = []ipRange{
{
start: net.ParseIP("10.0.0.0"),
end: net.ParseIP("10.255.255.255"),
},
{
start: net.ParseIP("100.64.0.0"),
end: net.ParseIP("100.127.255.255"),
},
{
start: net.ParseIP("172.16.0.0"),
end: net.ParseIP("172.31.255.255"),
},
{
start: net.ParseIP("192.0.0.0"),
end: net.ParseIP("192.0.0.255"),
},
{
start: net.ParseIP("192.168.0.0"),
end: net.ParseIP("192.168.255.255"),
},
{
start: net.ParseIP("198.18.0.0"),
end: net.ParseIP("198.19.255.255"),
},
}
// isPrivateSubnet - check to see if this ip is in a private subnet
func isPrivateSubnet(ipAddress net.IP) bool {
if ipCheck := ipAddress.To4(); ipCheck != nil {
// iterate over all our ranges
for _, r := range privateRanges {
// check if this ip is in a private range
if inRange(r, ipAddress) {
return true
}
}
}
// TODO: implement ipv6 ranges
return false
}
// getIPAddress gets the real ip address from headers
// if not found it returns r.RemoteAddr
func getIPAddress(r *http.Request) string {
ipHeaders := []string{
"True-Client-IP",
"X-Forwarded-For",
"X-Real-Ip",
}
for _, h := range ipHeaders {
addresses := strings.Split(r.Header.Get(h), ",")
// march from right to left until we get a public address
// that will be the address right before our proxy.
for i := len(addresses) - 1; i >= 0; i-- {
// header can contain spaces too, strip those out.
ip := strings.TrimSpace(addresses[i])
if ip == "" {
continue
}
realIP := net.ParseIP(ip)
if !realIP.IsGlobalUnicast() || isPrivateSubnet(realIP) {
// bad address, go to next
continue
}
return ip
}
}
return ipRemoteAddr(r.RemoteAddr)
}
// isIpv6 checks if the ip address is ipv6
func isIpv6(addr string) bool {
re := regexp.MustCompile(ipv6regex)
return re.Match([]byte(addr))
}
// ipAddrWithoutPort returns ip address from request stripped of ports from the address
func ipAddrWithoutPort(r *http.Request) string {
ipAddressFromRequest := getIPAddress(r)
if isIpv6(ipAddressFromRequest) {
ipAddr := strings.Split(ipAddressFromRequest, ":")
ipAddrString := strings.Join(ipAddr[0:len(ipAddr)-1], ":")
ipAddrString = strings.Replace(ipAddrString, "[", "", -1)
ipAddrString = strings.Replace(ipAddrString, "]", "", -1)
return ipAddrString
}
// return ipv4 address without port
return strings.Split(ipAddressFromRequest, ":")[0]
}
func ipRemoteAddr(remoteAddr string) string {
ip, _, err := net.SplitHostPort(remoteAddr)
if err != nil {
return ""
}
return ip
}