middleware/log_request: Add logging for processed X-Forwarded-For header values

Turbo87 · Turbo87 · commit 1bf0e2d58d41 · 2023-10-25T18:00:17.000+02:00
This is supposed to eventually replace the `X-Real-IP` header usage once production traffic has shown that our implementation is correct.
diff --git a/src/middleware/log_request.rs b/src/middleware/log_request.rs
@@ -4,13 +4,15 @@
 use crate::controllers::util::RequestPartsExt;
 use crate::headers::{XRealIp, XRequestId};
 use crate::middleware::normalize_path::OriginalPath;
+use crate::real_ip::process_xff_headers;
 use axum::headers::UserAgent;
 use axum::middleware::Next;
 use axum::response::IntoResponse;
 use axum::{Extension, TypedHeader};
 use http::{Method, Request, StatusCode, Uri};
 use parking_lot::Mutex;
 use std::fmt::{self, Display, Formatter};
+use std::net::IpAddr;
 use std::ops::Deref;
 use std::sync::Arc;
 use std::time::{Duration, Instant};
@@ -39,6 +41,7 @@ pub struct Metadata<'a> {
     cause: Option<&'a CauseField>,
     error: Option<&'a ErrorField>,
     duration: Duration,
+    real_ip: Option<IpAddr>,
     custom_metadata: RequestLog,
 }
 
@@ -71,10 +74,19 @@ impl Display for Metadata<'_> {
             };
         }
 
-        match &self.request.real_ip {
-            Some(header) => line.add_quoted_field("fwd", header.as_str())?,
-            None => line.add_quoted_field("fwd", "")?,
-        };
+        let real_ip = self.real_ip.map(|ip| ip.to_string()).unwrap_or_default();
+        line.add_quoted_field("ip", &real_ip)?;
+
+        let x_real_ip = self.request.real_ip.as_ref();
+        let x_real_ip = x_real_ip
+            .map(|ip| ip.as_str().to_string())
+            .unwrap_or_default();
+        line.add_quoted_field("fwd", &x_real_ip)?;
+
+        // TODO: Remove this once production traffic has shown that `ip == fwd`
+        if real_ip != x_real_ip {
+            line.add_marker("ip!=fwd")?;
+        }
 
         let response_time_in_ms = self.duration.as_millis();
         if !is_download_redirect || response_time_in_ms > 0 {
@@ -122,6 +134,8 @@ pub async fn log_requests<B>(
     let custom_metadata = RequestLog::default();
     req.extensions_mut().insert(custom_metadata.clone());
 
+    let real_ip = process_xff_headers(req.headers());
+
     let response = next.run(req).await;
 
     let metadata = Metadata {
@@ -130,6 +144,7 @@ pub async fn log_requests<B>(
         cause: response.extensions().get(),
         error: response.extensions().get(),
         duration: start_instant.elapsed(),
+        real_ip,
         custom_metadata,
     };
 
diff --git a/src/real_ip.rs b/src/real_ip.rs
@@ -156,7 +156,6 @@ fn is_cloud_front_ip(ip: &IpAddr) -> bool {
         .any(|trusted_proxy| trusted_proxy.contains(*ip))
 }
 
-#[allow(dead_code)]
 pub fn process_xff_headers(headers: &HeaderMap) -> Option<IpAddr> {
     let mut xff_iter = headers.get_all(X_FORWARDED_FOR).iter();
     let first_header = xff_iter.next()?;

Original file line number	Diff line number	Diff line change
`@@ -156,7 +156,6 @@ fn is_cloud_front_ip(ip: &IpAddr) -> bool {`
`156`	`156`	`.any(\|trusted_proxy\| trusted_proxy.contains(*ip))`
`157`	`157`	`}`
`158`	`158`
`159`		`-#[allow(dead_code)]`
`160`	`159`	`pub fn process_xff_headers(headers: &HeaderMap) -> Option<IpAddr> {`
`161`	`160`	`let mut xff_iter = headers.get_all(X_FORWARDED_FOR).iter();`
`162`	`161`	`let first_header = xff_iter.next()?;`