feat(ekko): add WithTrustOptions for CDN IP trust configuration

Allow callers to append additional echo.TrustOption values to the
default IP extraction configuration. This enables trusting CDN IP
ranges (e.g. Fastly) when extracting client IPs from X-Forwarded-For.

ekko/ekko.go

@@ -163,6 +163,7 @@ func (ek *Ekko) setup(ctx context.Context) (*echo.Echo, error) {
 		echo.TrustLinkLocal(false),
 		echo.TrustPrivateNet(true),
 	}
+	trustOptions = append(trustOptions, ek.extraTrustOptions...)
 	e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOptions...)
 
 	if ek.otelmiddleware == nil {

ekko/options.go

@@ -20,6 +20,7 @@ type Ekko struct {
 	logFilters        []slogecho.Filter
 	otelmiddleware    echo.MiddlewareFunc
 	gzipConfig        *middleware.GzipConfig
+	extraTrustOptions []echo.TrustOption
 
 	writeTimeout      time.Duration
 	readHeaderTimeout time.Duration
@@ -92,6 +93,16 @@ func WithReadHeaderTimeout(t time.Duration) func(*Ekko) {
 	}
 }
 
+// WithTrustOptions appends additional trust options to the default IP extraction
+// configuration. These options are applied after the built-in trust settings
+// (loopback trusted, link-local untrusted, private networks trusted) when
+// extracting client IPs from the X-Forwarded-For header.
+func WithTrustOptions(opts ...echo.TrustOption) func(*Ekko) {
+	return func(ek *Ekko) {
+		ek.extraTrustOptions = append(ek.extraTrustOptions, opts...)
+	}
+}
+
 // WithGzipConfig provides custom gzip compression configuration.
 // By default, gzip compression is enabled with standard settings.
 // Use this option to customize compression level, skip patterns, or disable compression.