Expand description
Tuwunelβs client-IP extractor.
Two modes:
- If the operator configured
ip_source, aConfiguredIpSourcemarker is installed in request extensions and the extractor reads from the chosen source. Exception: if the peer shown byConnectInfois on a loopback interface, or sits inside an operator-listed trusted subnet (seeTrustedPeerSubnets), the insecure header-scan +ConnectInfofallback runs instead, since such peers (e.g. a locally-connected appservice bridge, or a containerized bridge on a private Docker network) cannot have spoofed the address at the IP layer. - Otherwise the insecure header-scan +
ConnectInfofallback runs directly, preserving the prior default behaviour, including the socket-address fallback that matters for Unix-socket deployments.
StructsΒ§
- Client
Ip π - Tuwunel client-IP extractor. See module docs.
- Configured
IpSource - Marker wrapper around
IpSourceplaced into request extensions only when an operator has explicitly configuredip_source. - Trusted
Peer Subnets - Operator-configured subnets whose TCP peers bypass the secure
ip_sourceextraction in the same way loopback peers do. Installed in request extensions only when the configured list is non-empty.
FunctionsΒ§
- cloudfront_
viewer_ πaddress - insecure_
fallback π - Leftmost header scan with
ConnectInfofallback. - leftmost_
forwarded π - Parse
for=from the leftmost RFC 7239 stanza. Tolerates quoted values, bracketed IPv6, and an optional:portsuffix. - leftmost_
x_ πforwarded_ for - parse_
forwarded_ πfor - peer_
is_ πtrusted - rightmost_
forwarded π - rightmost_
x_ πforwarded_ for - secure_
extract π - single_
ip_ πheader