From 15c450521549b9aaa8e38cd70c6ef6021a644e0e Mon Sep 17 00:00:00 2001 From: Mac Chaffee Date: Sun, 27 Oct 2024 15:21:20 -0400 Subject: [PATCH] Document how to obtain the real client IP --- docs/posts/advanced.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/posts/advanced.md b/docs/posts/advanced.md index 8e8b7ff..638a57e 100644 --- a/docs/posts/advanced.md +++ b/docs/posts/advanced.md @@ -75,3 +75,31 @@ enabling load balancing in sish, this happens automatically when a device with the same forwarded TCP port, alias, or HTTP subdomain connects to sish. Connections will then be evenly distributed to whatever nodes are connected to sish that match the forwarded connection. + +# Access client IP addresses + +When an HTTP request is forwarded to your service, sish automatically appends the following standard headers: + +* [`X-Forwarded-For`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) +* [`X-Forwarded-Host`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host) +* [`X-Forwarded-Proto`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) + +Here is an example request that came from `203.0.113.12`: + +``` +GET / HTTP/1.1 +Host: example-project.tuns.sh +User-Agent: curl/8.7.1 +Accept: */* +X-Forwarded-For: 198.51.100.10, 203.0.113.12 +X-Forwarded-Host: example-project.tuns.sh +X-Forwarded-Port: 443 +X-Forwarded-Proto: https +X-Forwarded-Server: oracle2 +X-Real-Ip: 198.51.100.10 +Accept-Encoding: gzip +``` + +Each proxy that the request passes through will add a new value to the right of `X-Forwarded-For`. In most cases, you can obtain the real client IP address by reading the right-most value of `X-Forwarded-For`. + +Do not trust the `X-Real-Ip` header or the other values in `X-Forwarded-For` since those can be spoofed. Please read the [security and privacy concerns](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For#security_and_privacy_concerns) section for more details.