Add XForwardedForReverseProxy option

which basically tells GeoBlock to only allow/deny a request based on the
first IP address in the X-ForwardedFor HTTP header. This is useful for
servers behind e.g. a Cloudflare proxy

Author: PascalMinder

geoblock.go

@@ -41,6 +41,7 @@ type Config struct {
 	APITimeoutMs                 int      `yaml:"apiTimeoutMs"`
 	IgnoreAPITimeout             bool     `yaml:"ignoreApiTimeout"`
 	IPGeolocationHTTPHeaderField string   `yaml:"ipGeolocationHttpHeaderField"`
+	XForwardedForReverseProxy    bool     `yaml:"xForwardedForReverseProxy"`
 	CacheSize                    int      `yaml:"cacheSize"`
 	ForceMonthlyUpdate           bool     `yaml:"forceMonthlyUpdate"`
 	AllowUnknownCountries        bool     `yaml:"allowUnknownCountries"`
@@ -75,6 +76,7 @@ type GeoBlock struct {
 	apiTimeoutMs                 int
 	ignoreAPITimeout             bool
 	iPGeolocationHTTPHeaderField string
+	xForwardedForReverseProxy    bool
 	forceMonthlyUpdate           bool
 	allowUnknownCountries        bool
 	unknownCountryCode           string
@@ -157,6 +159,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		apiTimeoutMs:                 config.APITimeoutMs,
 		ignoreAPITimeout:             config.IgnoreAPITimeout,
 		iPGeolocationHTTPHeaderField: config.IPGeolocationHTTPHeaderField,
+		xForwardedForReverseProxy:    config.XForwardedForReverseProxy,
 		forceMonthlyUpdate:           config.ForceMonthlyUpdate,
 		allowUnknownCountries:        config.AllowUnknownCountries,
 		unknownCountryCode:           config.UnknownCountryAPIResponse,
@@ -182,6 +185,11 @@ func (a *GeoBlock) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	// only keep the first IP address, which should be the client (if the proxy behaves itself), to check if allowed or denied
+	if a.xForwardedForReverseProxy {
+		requestIPAddresses = requestIPAddresses[:1]
+	}
+
 	for _, requestIPAddress := range requestIPAddresses {
 		if !a.allowDenyIPAddress(requestIPAddress, req) {
 			rw.WriteHeader(a.httpStatusCodeDeniedRequest)

geoblock_test.go

@@ -209,6 +209,62 @@ func TestMultipleIpAddressesReverse(t *testing.T) {
 	assertStatusCode(t, recorder.Result(), http.StatusForbidden)
 }
 
+func TestMultipleIpAddressesProxy(t *testing.T) {
+	cfg := createTesterConfig()
+
+	cfg.Countries = append(cfg.Countries, "CA")
+	cfg.XForwardedForReverseProxy = true
+
+	ctx := context.Background()
+	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
+
+	handler, err := geoblock.New(ctx, next, cfg, "GeoBlock")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recorder := httptest.NewRecorder()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Add(xForwardedFor, strings.Join([]string{caExampleIP, chExampleIP}, ","))
+
+	handler.ServeHTTP(recorder, req)
+
+	assertStatusCode(t, recorder.Result(), http.StatusOK)
+}
+
+func TestMultipleIpAddressesProxyReverse(t *testing.T) {
+	cfg := createTesterConfig()
+
+	cfg.Countries = append(cfg.Countries, "CA")
+	cfg.XForwardedForReverseProxy = true
+
+	ctx := context.Background()
+	next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {})
+
+	handler, err := geoblock.New(ctx, next, cfg, "GeoBlock")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recorder := httptest.NewRecorder()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, "http://localhost", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	req.Header.Add(xForwardedFor, strings.Join([]string{chExampleIP, caExampleIP}, ","))
+
+	handler.ServeHTTP(recorder, req)
+
+	assertStatusCode(t, recorder.Result(), http.StatusForbidden)
+}
+
 func TestAllowedUnknownCountry(t *testing.T) {
 	cfg := createTesterConfig()