ntp/common
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(ekko): add WithTrustOptions for CDN IP trust configuration

Browse Source 
Allow callers to append additional echo.TrustOption values to the
default IP extraction configuration. This enables trusting CDN IP
ranges (e.g. Fastly) when extracting client IPs from X-Forwarded-For.
This commit is contained in:
Ask Bjørn Hansen
2026-03-08 18:31:44 -07:00
parent 92b202037a
commit 82de580879
2 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ekko/ekko.go
View File

@@ -163,6 +163,7 @@ func (ek *Ekko) setup(ctx context.Context) (*echo.Echo, error) {
echo.TrustLinkLocal(false), echo.TrustLinkLocal(false),
echo.TrustPrivateNet(true), echo.TrustPrivateNet(true),
} }
trustOptions = append(trustOptions, ek.extraTrustOptions...)
e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOptions...) e.IPExtractor = echo.ExtractIPFromXFFHeader(trustOptions...)
if ek.otelmiddleware == nil { if ek.otelmiddleware == nil {

25
ekko/options.go
View File

@@ -13,13 +13,14 @@ import (
// It encapsulates server configuration, middleware options, and lifecycle management // It encapsulates server configuration, middleware options, and lifecycle management
// for NTP Pool web services. Use New() with functional options to configure. // for NTP Pool web services. Use New() with functional options to configure.
type Ekko struct { type Ekko struct {
name string name string
prom prometheus.Registerer prom prometheus.Registerer
port int port int
routeFn func(e *echo.Echo) error routeFn func(e *echo.Echo) error
logFilters []slogecho.Filter logFilters []slogecho.Filter
otelmiddleware echo.MiddlewareFunc otelmiddleware echo.MiddlewareFunc
gzipConfig *middleware.GzipConfig gzipConfig *middleware.GzipConfig
extraTrustOptions []echo.TrustOption
writeTimeout time.Duration writeTimeout time.Duration
readHeaderTimeout time.Duration readHeaderTimeout time.Duration
@@ -92,6 +93,16 @@ func WithReadHeaderTimeout(t time.Duration) func(*Ekko) {
} }
} }
// WithTrustOptions appends additional trust options to the default IP extraction
// configuration. These options are applied after the built-in trust settings
// (loopback trusted, link-local untrusted, private networks trusted) when
// extracting client IPs from the X-Forwarded-For header.
func WithTrustOptions(opts ...echo.TrustOption) func(*Ekko) {
return func(ek *Ekko) {
ek.extraTrustOptions = append(ek.extraTrustOptions, opts...)
}
}
// WithGzipConfig provides custom gzip compression configuration. // WithGzipConfig provides custom gzip compression configuration.
// By default, gzip compression is enabled with standard settings. // By default, gzip compression is enabled with standard settings.
// Use this option to customize compression level, skip patterns, or disable compression. // Use this option to customize compression level, skip patterns, or disable compression.