Merge pull request #193 from Nextra/fix-ipv6

mpolden · web-flow · commit a90ace43f4c0 · 2026-02-12T16:12:57.000+01:00
diff --git a/http/http.go b/http/http.go
@@ -101,17 +101,19 @@ func ipFromRequest(headers []string, r *http.Request, customIP bool) (net.IP, er
 	if remoteIP == "" {
 		remoteIP = r.RemoteAddr
 	}
-	sep := strings.Index(remoteIP, ":")
-	if sep != -1 {
-		host, _, err := net.SplitHostPort(remoteIP)
-		if err != nil {
-			return nil, err
-		}
-		remoteIP = host
-	}
 	ip := net.ParseIP(remoteIP)
 	if ip == nil {
-		return nil, fmt.Errorf("could not parse IP: %s", remoteIP)
+		if strings.Contains(remoteIP, ":") {
+			host, _, err := net.SplitHostPort(remoteIP)
+			if err != nil {
+				return nil, err
+			}
+			remoteIP = host
+			ip = net.ParseIP(remoteIP)
+		}
+		if ip == nil {
+			return nil, fmt.Errorf("could not parse IP: %s", remoteIP)
+		}
 	}
 	return ip, nil
 }
diff --git a/http/http_test.go b/http/http_test.go
@@ -17,6 +17,13 @@ func lookupAddr(net.IP) (string, error) { return "localhost", nil }
 func lookupPort(net.IP, uint64) error   { return nil }
 
 type testDb struct{}
+type ipTestCase struct {
+	remoteAddr     string
+	headerKey      string
+	headerValue    string
+	trustedHeaders []string
+	out            string
+}
 
 func (t *testDb) Country(net.IP) (geo.Country, error) {
 	return geo.Country{Name: "Elbonia", ISO: "EB", IsEU: new(bool)}, nil
@@ -209,14 +216,8 @@ func TestCacheResizeHandler(t *testing.T) {
 	}
 }
 
-func TestIPFromRequest(t *testing.T) {
-	var tests = []struct {
-		remoteAddr     string
-		headerKey      string
-		headerValue    string
-		trustedHeaders []string
-		out            string
-	}{
+func TestIPv4FromRequest(t *testing.T) {
+	var tests = []ipTestCase{
 		{"127.0.0.1:9999", "", "", nil, "127.0.0.1"},                                                                // No header given
 		{"127.0.0.1:9999", "X-Real-IP", "1.3.3.7", nil, "127.0.0.1"},                                                // Trusted header is empty
 		{"127.0.0.1:9999", "X-Real-IP", "1.3.3.7", []string{"X-Foo-Bar"}, "127.0.0.1"},                              // Trusted header does not match
@@ -235,6 +236,32 @@ func TestIPFromRequest(t *testing.T) {
 		{"127.0.0.1:9999?ip=1.2.3.4:1234", "", "", nil, "1.2.3.4"},                                                                 // passed in "ip" parameter (with port)
 		{"127.0.0.1:9999?ip=1.2.3.4:1234", "X-Forwarded-For", "1.3.3.7:1337,4.2.4.2:4242", []string{"X-Forwarded-For"}, "1.2.3.4"}, // ip parameter wins over X-Forwarded-For with multiple entries (with port)
 	}
+	testIpFromRequest(t, tests)
+}
+func TestIPv6FromRequest(t *testing.T) {
+	var tests = []ipTestCase{
+		{"[::1]:9999", "", "", nil, "::1"},                                                                                                  // No header given
+		{"[::1]:9999", "X-Real-IP", "::ffff:103:307", nil, "::1"},                                                                           // Trusted header is empty
+		{"[::1]:9999", "X-Real-IP", "::ffff:103:307", []string{"X-Foo-Bar"}, "::1"},                                                         // Trusted header does not match
+		{"[::1]:9999", "X-Real-IP", "::ffff:103:307", []string{"X-Real-IP", "X-Forwarded-For"}, "::ffff:103:307"},                           // Trusted header matches
+		{"[::1]:9999", "X-Forwarded-For", "::ffff:103:307", []string{"X-Real-IP", "X-Forwarded-For"}, "::ffff:103:307"},                     // Second trusted header matches
+		{"[::1]:9999", "X-Forwarded-For", "::ffff:103:307,::ffff:402:402", []string{"X-Forwarded-For"}, "::ffff:103:307"},                   // X-Forwarded-For with multiple entries (commas separator)
+		{"[::1]:9999", "X-Forwarded-For", "::ffff:103:307, ::ffff:402:402", []string{"X-Forwarded-For"}, "::ffff:103:307"},                  // X-Forwarded-For with multiple entries (space+comma separator)
+		{"[::1]:9999", "X-Forwarded-For", "", []string{"X-Forwarded-For"}, "::1"},                                                           // Empty header
+		{"[::1]:9999?ip=::ffff:102:304", "", "", nil, "::ffff:102:304"},                                                                     // passed in "ip" parameter
+		{"[::1]:9999?ip=::ffff:102:304", "X-Forwarded-For", "::ffff:103:307,::ffff:402:402", []string{"X-Forwarded-For"}, "::ffff:102:304"}, // ip parameter wins over X-Forwarded-For with multiple entries
+
+		{"[::1]:9999", "X-Real-IP", "[::ffff:103:307]:1337", []string{"X-Real-IP", "X-Forwarded-For"}, "::ffff:103:307"},                                         // Trusted header matches (with port)
+		{"[::1]:9999", "X-Forwarded-For", "[::ffff:103:307]:1337", []string{"X-Real-IP", "X-Forwarded-For"}, "::ffff:103:307"},                                   // Second trusted header matches (with port)
+		{"[::1]:9999", "X-Forwarded-For", "[::ffff:103:307]:1337,[::ffff:402:402]:4242", []string{"X-Forwarded-For"}, "::ffff:103:307"},                          // X-Forwarded-For with multiple entries (commas separator, with port)
+		{"[::1]:9999", "X-Forwarded-For", "[::ffff:103:307]:1337, [::ffff:402:402]:4242", []string{"X-Forwarded-For"}, "::ffff:103:307"},                         // X-Forwarded-For with multiple entries (space+comma separator, with port)
+		{"[::1]:9999?ip=[::ffff:102:304]:1234", "", "", nil, "::ffff:102:304"},                                                                                   // passed in "ip" parameter (with port)
+		{"[::1]:9999?ip=[::ffff:102:304]:1234", "X-Forwarded-For", "[::ffff:103:307]:1337,[::ffff:402:402]:4242", []string{"X-Forwarded-For"}, "::ffff:102:304"}, // ip parameter wins over X-Forwarded-For with multiple entries (with port)
+	}
+	testIpFromRequest(t, tests)
+}
+
+func testIpFromRequest(t *testing.T, tests []ipTestCase) {
 	for _, tt := range tests {
 		u, err := url.Parse("http://" + tt.remoteAddr)
 		if err != nil {
