Use X-Forwarded-For before X-Real-Ip

Nginx uses X-Real-Ip with its IP instead of the client's IP. Therefore, we should use X-Forwarded-For *before* X-Real-Ip
2025-10-15 21:06:39 +08:00 · 2016-08-30 18:58:39 +03:00 · 2016-08-30 18:58:39 +03:00 · 0d10500918
commit 0d10500918
parent f931d1ea80
1 changed files with 6 additions and 5 deletions
--- a/context.go
+++ b/context.go
@ -305,13 +305,10 @@ func (c *Context) BindWith(obj interface{}, b binding.Binding) error {

 // ClientIP implements a best effort algorithm to return the real client IP, it parses
 // X-Real-IP and X-Forwarded-For in order to work properly with reverse-proxies such us: nginx or haproxy.
+// Use X-Forwarded-For before X-Real-Ip as nginx uses X-Real-Ip with the proxy's IP.
 func (c *Context) ClientIP() string {
 	if c.engine.ForwardedByClientIP {
-		clientIP := strings.TrimSpace(c.requestHeader("X-Real-Ip"))
-		if len(clientIP) > 0 {
-			return clientIP
-		}
-		clientIP = c.requestHeader("X-Forwarded-For")
+		clientIP := c.requestHeader("X-Forwarded-For")
 		if index := strings.IndexByte(clientIP, ','); index >= 0 {
 			clientIP = clientIP[0:index]
 		}
@ -319,6 +316,10 @@ func (c *Context) ClientIP() string {
 		if len(clientIP) > 0 {
 			return clientIP
 		}
+		clientIP = strings.TrimSpace(c.requestHeader("X-Real-Ip"))
+		if len(clientIP) > 0 {
+			return clientIP
+		}
 	}
 	if ip, _, err := net.SplitHostPort(strings.TrimSpace(c.Request.RemoteAddr)); err == nil {
 		return ip