mirror of
https://github.com/sourcegraph/sourcegraph.git
synced 2026-02-06 20:31:48 +00:00
7a3da57188
Closes https://linear.app/sourcegraph/issue/SRC-454/extract-and-propagate-user-ip-address-throughout-the-request-lifecycle
According to [HTTP1.1/RFC 2616](https://www.rfc-editor.org/rfc/rfc2616): Headers may be repeated, and any comma-separated list-headers (like `X-Forwarded-For`) should be treated as a single value.
In section 4.2:
> Multiple message-header fields with the same field-name MAY bepresent in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. **It MUST be possible to combine the multiple header fields into one"field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma.** The order in which header fields with the same field-name are received **is therefore significant** to the interpretation of the combined field value, and thus a proxy MUST NOT change the order of these field values when a message is forwarded.
For Example:
For the following HTTP request, it's valid to have multiple instances of x-forwarded-for:
| Header Name | Header Value |
|------------------|---------------------------|
| X-Forwarded-For | 203.0.113.195, 70.41.3.18 |
| X-Forwarded-For | 150.172.238.178 |
| X-Forwarded-For | 123.45.67.89 |
| ... | ...|
That must be interpret-able as `X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178, 123.45.67.89`
Previously, our code used http.Header.Get():
|
||
|---|---|---|
| .. | ||
| geolocation | ||
| BUILD.bazel | ||
| client_test.go | ||
| client.go | ||
| grpc_test.go | ||
| grpc.go | ||
| http_test.go | ||
| http.go | ||