🔥Feature (v3): Add TrustInternalIPs Config Option

[xEricL]

Description

This adds a new config option called TrustInternalIPs, allowing developers to trust Loop-back, Private, and Link-local IP addresses without adding the ranges to TrustedProxies when EnableTrustedProxyCheck is enabled. If these ranges are added manually, it can negatively impact performance (see #2933 benchmarks).

I chose these three ranges because these are the same ranges enabled by default when configuring an IP extractor in Echo.

Fixes #2930

Changes introduced

• Benchmarks: Describe any performance benchmarks and improvements related to the changes.
• Documentation Update: Detail the updates made to the documentation and links to the changed files.

Type of change

• New feature (non-breaking change which adds functionality)
• Enhancement (improvement to existing features and functionality)
• Documentation update (changes to documentation)
• Performance improvement (non-breaking change which improves efficiency)

Checklist

Before you submit your pull request, please make sure you meet these requirements:

• Followed the inspiration of the Express.js framework for new functionalities, making them similar in usage.
• Conducted a self-review of the code and provided comments for complex or critical parts.
• Updated the documentation in the /docs/ directory for Fiber's documentation.
• Added or updated unit tests to validate the effectiveness of the changes or new features.
• Ensured that new and existing unit tests pass locally with the changes.
• Verified that any new dependencies are essential and have been agreed upon by the maintainers/community.
• Aimed for optimal performance with minimal allocations in the new code.
• Provided benchmarks for the new code to analyze and improve upon.

Commit formatting

Please use emojis in commit messages for an easy way to identify the purpose or intention of a commit. Check out the emoji cheatsheet here: CONTRIBUTING.md

[welcome]

Thanks for opening this pull request! 🎉 Please check out our contributing guidelines. If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[coderabbitai]

Walkthrough

The changes introduce two new boolean fields, EnableTrustedProxyCheck and TrustInternalIPs, to the Config struct in app.go, enhancing proxy configuration options. The IsProxyTrusted method in ctx.go is updated to utilize these fields for determining trusted proxies based on internal IP addresses. Additionally, tests for this functionality are added in ctx_test.go, and documentation updates are made in docs/api/ctx.md and docs/api/fiber.md to reflect the new configuration options.

Changes

Files	Change Summary
app.go	Added EnableTrustedProxyCheck and TrustInternalIPs boolean fields to Config struct.
ctx.go	Updated IsProxyTrusted method to check for internal IPs based on new config options; added isInternalHost.
ctx_test.go	Added tests for IsProxyTrusted functionality with new configurations; included benchmarks.
docs/api/ctx.md	Updated descriptions for IsFromLocal and IsProxyTrusted; added TrustInternalIPs to documentation.
docs/api/fiber.md	Introduced TrustInternalIPs to Fiber configuration options; adjusted formatting for consistency.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant App
    participant Proxy

    User->>App: Request with X-Forwarded-For
    App->>Proxy: Check if Proxy is Trusted
    Proxy->>App: Return IP
    App->>App: Check EnableTrustedProxyCheck
    App->>App: Check TrustInternalIPs
    App->>User: Respond based on trust evaluation

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Simplify adding internal IP ranges to fiber.Config (Issue #2930)	✅
Provide a way to trust internal IPs without manual specification (Issue #2930)	✅
Align with other frameworks' handling of trusted proxies (Issue #2930)	❌	No constants or helper functions were added.

Poem

In the garden where rabbits play,
New fields sprout to light the way.
Trusted proxies, oh what a treat,
With internal IPs, they can't be beat!
So hop along, let's cheer and sing,
For the changes that this update brings! 🐇✨

---

Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between fbc24e8 and 78cadc0.

Files selected for processing (5)

• app.go (2 hunks)
• ctx.go (2 hunks)
• ctx_test.go (2 hunks)
• docs/api/ctx.md (3 hunks)
• docs/api/fiber.md (2 hunks)

Files skipped from review due to trivial changes (1)

• docs/api/ctx.md

Additional comments not posted (8)

app.go (2)

347-349: LGTM!

The new EnableTrustedProxyCheck field is well-documented, and the default behavior is clearly explained. The interaction with the TrustedProxies field is also mentioned, which helps users understand the feature better.

---

360-364: LGTM!

The new TrustInternalIPs field is well-documented, and the default behavior is clearly explained. The feature provides a convenient way to trust internal IP addresses without manual configuration, which can improve the developer experience.

docs/api/fiber.md (2)

51-51: Formatting change looks good!

The description text for the CompressedFileSuffixes configuration option has been aligned properly, improving the readability of the documentation.

---

78-78: New configuration option looks good!

The TrustInternalIPs configuration option is a useful addition to the Fiber framework. It simplifies the configuration of trusted internal IP addresses when the trusted proxy check is enabled.

The description clearly explains the behavior and the default value is appropriate.

ctx.go (2)

1848-1851: LGTM!

The isInternalHost function correctly identifies internal IP addresses using the appropriate methods from the net package. It provides a convenient way to check if an IP should be trusted when the TrustInternalIPs config option is enabled.

---

1831-1833: Looks good!

The changes to IsProxyTrusted correctly add support for trusting internal IPs when the TrustInternalIPs config option is enabled. The new check takes precedence over the existing trusted proxies map and ranges, simplifying configuration for users who want to trust all internal IPs by default.

The changes are backwards compatible and do not affect existing behavior if TrustInternalIPs is disabled.

ctx_test.go (2)

1717-1726: LGTM!

The test case for IsProxyTrusted with TrustInternalIPs enabled looks good. It correctly sets up the app configuration, acquires a context, sets the necessary request details, and asserts the expected behavior.

---

6364-6380: Looks good!

The new benchmark scenarios for testing IsProxyTrusted performance with only TrustInternalIPs enabled are implemented correctly. They follow the same structure as the existing scenarios, properly set up the app and context, and measure the performance both sequentially and in parallel.

Also applies to: 6382-6399

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  -- I pushed a fix in commit <commit_id>, please review it.
  -- Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  -- @coderabbitai generate unit testing code for this file.
  -- @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  -- @coderabbitai generate interesting stats about this repository and render them as a table.
  -- @coderabbitai read src/utils.ts and generate unit testing code.
  -- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  -- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 2 lines in your changes missing coverage. Please review.

Project coverage is 80.11%. Comparing base (fbc24e8) to head (78cadc0).
Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
ctx.go	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3137      +/-   ##
==========================================
- Coverage   80.19%   80.11%   -0.08%     
==========================================
  Files         117      117              
  Lines        9048     9052       +4     
==========================================
- Hits         7256     7252       -4     
- Misses       1360     1365       +5     
- Partials      432      435       +3     

Flag	Coverage Δ
unittests	80.11% <50.00%> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gaby]

Per discord conversation something like this will be added to make this more user-friendly:

type TrustedProxyConfig struct {
    IPs                []string
    Ranges             []string
    Unicast            bool
    Multicast          bool
    LinkLocalUnicast   bool
    LinkLocalMulticast bool
    Loopback           bool
    Private            bool
}

[ReneWerner87]

@xEricL thx for the PR
Can you implement the suggested changes from gaby

[gaby]

@ReneWerner87 I talked to @xEricL on Discord, he will be implemented the options from Express.js

https://expressjs.com/en/guide/behind-proxies.html

[ReneWerner87]

@gaby @xEricL friendly ping

[xEricL]

@ReneWerner87 hey, I'm sorry I've been very busy with school so I haven't had a chance to finish it up. I've had it mostly done for a while now but I'm having second thoughts about how it looks; It just feels a bit verbose.

Here are some examples. What do you guys think?

app := fiber.New(fiber.Config{
        EnableTrustedProxyCheck: true,
        TrustedProxyConfig: fiber.TrustedProxyConfig{
            Proxies: []string{"192.168.0.0/24", "10.0.0.0/16", "0.0.0.0/8"},
        },
    })

app := New(Config{
	EnableTrustedProxyCheck: true,
	TrustedProxyConfig: fiber.TrustedProxyConfig{
		Proxies: []string{"172.16.0.0/12"},
		Loopback: true,
	},
})

[gaby]

@xEricL In express.js this is actually called "trust proxy". See here https://expressjs.com/en/guide/behind-proxies.html

How about this?

app := New(Config{
	TrustProxy: true,
	TrustProxyConfig: fiber.TrustProxyConfig{
		Proxies: []string{"172.16.0.0/12"},
		Loopback: true,
	},
})

@ReneWerner87 @efectn Thoughts?

[efectn]

@xEricL In express.js this is actually called "trust proxy". See here expressjs.com/en/guide/behind-proxies.html

How about this?

app := New(Config{
	TrustProxy: true,
	TrustProxyConfig: fiber.TrustProxyConfig{
		Proxies: []string{"172.16.0.0/12"},
		Loopback: true,
	},
})

@ReneWerner87 @efectn Thoughts?

It seems OK to me.

[xEricL]

I've opened a new PR with a new implementation for this feature. #3170