Skip to main content

Module client_ip

Module client_ip 

Source
Expand description

Tuwunel’s client-IP extractor.

Two modes:

  • If the operator configured ip_source, a ConfiguredIpSource marker is installed in request extensions and the extractor reads from the chosen source. Exception: if the peer shown by ConnectInfo is on a loopback interface, or sits inside an operator-listed trusted subnet (see TrustedPeerSubnets), the insecure header-scan + ConnectInfo fallback runs instead, since such peers (e.g. a locally-connected appservice bridge, or a containerized bridge on a private Docker network) cannot have spoofed the address at the IP layer.
  • Otherwise the insecure header-scan + ConnectInfo fallback runs directly, preserving the prior default behaviour, including the socket-address fallback that matters for Unix-socket deployments.

StructsΒ§

ClientIp πŸ”’
Tuwunel client-IP extractor. See module docs.
ConfiguredIpSource
Marker wrapper around IpSource placed into request extensions only when an operator has explicitly configured ip_source.
TrustedPeerSubnets
Operator-configured subnets whose TCP peers bypass the secure ip_source extraction in the same way loopback peers do. Installed in request extensions only when the configured list is non-empty.

FunctionsΒ§

cloudfront_viewer_address πŸ”’
insecure_fallback πŸ”’
Leftmost header scan with ConnectInfo fallback.
leftmost_forwarded πŸ”’
Parse for= from the leftmost RFC 7239 stanza. Tolerates quoted values, bracketed IPv6, and an optional :port suffix.
leftmost_x_forwarded_for πŸ”’
parse_forwarded_for πŸ”’
peer_is_trusted πŸ”’
rightmost_forwarded πŸ”’
rightmost_x_forwarded_for πŸ”’
secure_extract πŸ”’
single_ip_header πŸ”’