Merge pull request #1991 from ethereum-optimism/inphi/xff

feat(proxyd): Add X-Forwarded-For header when proxying RPCs

Merge pull request #1991 from ethereum-optimism/inphi/xff
feat(proxyd): Add X-Forwarded-For header when proxying RPCs
cebc747c · Matthew Slipper · GitHub · c9123af4 · 8aa89bf3 · cebc747c
Commit cebc747c authored Jan 07, 2022 by Matthew Slipper Committed by GitHub Jan 07, 2022
Showing with 79 additions and 18 deletions

fair-eyes-build.md .changeset/fair-eyes-build.md +5 -0

backend.go go/proxyd/backend.go +34 -3

config.go go/proxyd/config.go +10 -9

proxyd.go go/proxyd/proxyd.go +4 -0

server.go go/proxyd/server.go +26 -6

No files found.
--- a/.changeset/fair-eyes-build.md
+++ b/.changeset/fair-eyes-build.md
+---
+'@eth-optimism/proxyd': minor
+---
+Add X-Forwarded-For header when proxying RPCs on proxyd
--- a/go/proxyd/backend.go
+++ b/go/proxyd/backend.go
@@ -7,16 +7,18 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/ethereum/go-ethereum/log"
-	"github.com/gorilla/websocket"
-	"github.com/prometheus/client_golang/prometheus"
 	"io"
 	"io/ioutil"
 	"math"
 	"math/rand"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
+	"github.com/ethereum/go-ethereum/log"
+	"github.com/gorilla/websocket"
+	"github.com/prometheus/client_golang/prometheus"
 )
 const (
@@ -84,6 +86,8 @@ type Backend struct {
 	maxRPS               int
 	maxWSConns           int
 	outOfServiceInterval time.Duration
+	stripTrailingXFF     bool
+	proxydIP             string
 }
 type BackendOpt func(b *Backend)
@@ -140,6 +144,18 @@ func WithTLSConfig(tlsConfig *tls.Config) BackendOpt {
 	}
 }
+func WithStrippedTrailingXFF() BackendOpt {
+	return func(b *Backend) {
+		b.stripTrailingXFF = true
+	}
+}
+func WithProxydIP(ip string) BackendOpt {
+	return func(b *Backend) {
+		b.proxydIP = ip
+	}
+}
 func NewBackend(
 	name string,
 	rpcURL string,
@@ -163,6 +179,10 @@ func NewBackend(
 		opt(backend)
 	}
+	if !backend.stripTrailingXFF && backend.proxydIP == "" {
+		log.Warn("proxied requests' XFF header will not contain the proxyd ip address")
+	}
 	return backend
 }
@@ -316,7 +336,18 @@ func (b *Backend) doForward(ctx context.Context, rpcReq *RPCReq) (*RPCRes, error
 		httpReq.SetBasicAuth(b.authUsername, b.authPassword)
 	}
+	xForwardedFor := GetXForwardedFor(ctx)
+	if b.stripTrailingXFF {
+		ipList := strings.Split(xForwardedFor, ", ")
+		if len(ipList) > 0 {
+			xForwardedFor = ipList[0]
+		}
+	} else if b.proxydIP != "" {
+		xForwardedFor = fmt.Sprintf("%s, %s", xForwardedFor, b.proxydIP)
+	}
 	httpReq.Header.Set("content-type", "application/json")
+	httpReq.Header.Set("X-Forwarded-For", xForwardedFor)
 	httpRes, err := b.client.Do(httpReq)
 	if err != nil {

--- a/go/proxyd/config.go
+++ b/go/proxyd/config.go
@@ -32,15 +32,16 @@ type BackendOptions struct {
 }
 type BackendConfig struct {
-	Username       string `toml:"username"`
+	Username         string `toml:"username"`
-	Password       string `toml:"password"`
+	Password         string `toml:"password"`
-	RPCURL         string `toml:"rpc_url"`
+	RPCURL           string `toml:"rpc_url"`
-	WSURL          string `toml:"ws_url"`
+	WSURL            string `toml:"ws_url"`
-	MaxRPS         int    `toml:"max_rps"`
+	MaxRPS           int    `toml:"max_rps"`
-	MaxWSConns     int    `toml:"max_ws_conns"`
+	MaxWSConns       int    `toml:"max_ws_conns"`
-	CAFile         string `toml:"ca_file"`
+	CAFile           string `toml:"ca_file"`
-	ClientCertFile string `toml:"client_cert_file"`
+	ClientCertFile   string `toml:"client_cert_file"`
-	ClientKeyFile  string `toml:"client_key_file"`
+	ClientKeyFile    string `toml:"client_key_file"`
+	StripTrailingXFF bool   `toml:"strip_trailing_xff"`
 }
 type BackendsConfig map[string]*BackendConfig

--- a/go/proxyd/proxyd.go
+++ b/go/proxyd/proxyd.go
@@ -96,6 +96,10 @@ func Start(config *Config) error {
 			log.Info("using custom TLS config for backend", "name", name)
 			opts = append(opts, WithTLSConfig(tlsConfig))
 		}
+		if cfg.StripTrailingXFF {
+			opts = append(opts, WithStrippedTrailingXFF())
+		}
+		opts = append(opts, WithProxydIP(os.Getenv("PROXYD_IP")))
 		back := NewBackend(name, rpcURL, wsURL, lim, opts...)
 		backendNames = append(backendNames, name)
 		backendsByName[name] = back

--- a/go/proxyd/server.go
+++ b/go/proxyd/server.go
@@ -5,20 +5,23 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
 	"github.com/ethereum/go-ethereum/log"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/websocket"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/cors"
-	"io"
-	"net/http"
-	"strconv"
-	"time"
 )
 const (
-	ContextKeyAuth  = "authorization"
+	ContextKeyAuth          = "authorization"
-	ContextKeyReqID = "req_id"
+	ContextKeyReqID         = "req_id"
+	ContextKeyXForwardedFor = "x_forwarded_for"
 )
 type Server struct {
@@ -214,7 +217,16 @@ func (s *Server) populateContext(w http.ResponseWriter, r *http.Request) context
 		return nil
 	}
+	xff := r.Header.Get("X-Forwarded-For")
+	if xff == "" {
+		ipPort := strings.Split(r.RemoteAddr, ":")
+		if len(ipPort) == 2 {
+			xff = ipPort[0]
+		}
+	}
 	ctx := context.WithValue(r.Context(), ContextKeyAuth, s.authenticatedPaths[authorization])
+	ctx = context.WithValue(ctx, ContextKeyXForwardedFor, xff)
 	return context.WithValue(
 		ctx,
 		ContextKeyReqID,
@@ -271,3 +283,11 @@ func GetReqID(ctx context.Context) string {
 	}
 	return reqId
 }
+func GetXForwardedFor(ctx context.Context) string {
+	xff, ok := ctx.Value(ContextKeyXForwardedFor).(string)
+	if !ok {
+		return ""
+	}
+	return xff
+}