Overview
Theforwarded middleware parses X-Forwarded-* headers set by load balancers and proxies, extracting client IP, protocol, host, and other forwarded information.
Installation
Quick Start
Configuration
| Option | Type | Default | Description |
|---|---|---|---|
TrustProxy | bool | true | Trust forwarded headers |
TrustedProxies | []string | - | List of trusted proxy IPs/CIDRs |
Headers Parsed
| Header | Information |
|---|---|
X-Forwarded-For | Client IP chain |
X-Forwarded-Host | Original host |
X-Forwarded-Proto | Protocol (http/https) |
X-Forwarded-Port | Original port |
X-Forwarded-Prefix | Path prefix |
Forwarded | RFC 7239 header |
Examples
Basic Usage
Trusted Proxies Only
Helper Functions
Info Struct
API Reference
Technical Details
Header Processing Priority
The middleware processes headers in the following order:- X-Forwarded-For: Extracts the client IP from the first entry in the comma-separated list
- X-Forwarded-Host: Sets the original host requested by the client
- X-Forwarded-Proto: Determines if the original request was HTTP or HTTPS
- X-Forwarded-Port: Captures the original port number
- X-Forwarded-Prefix: Records any path prefix added by reverse proxies
- Forwarded (RFC 7239): Parses the standardized Forwarded header, which can override previous values
Trusted Proxy Validation
WhenTrustedProxies is configured:
- IP addresses are automatically converted to CIDR notation (single IPs get
/32) - The middleware checks if the remote address matches any trusted CIDR ranges
- If no match is found, all X-Forwarded-* headers are ignored and the remote address is used
IP Parsing
The middleware handles various IP address formats:- Standard IPv4 addresses (e.g.,
192.168.1.1) - IPv6 addresses in RFC 7239 format with brackets (e.g.,
[2001:db8::1]) - Addresses with port numbers (automatically stripped)
Context Storage
Forwarded information is stored in the request context using a private context key, making it accessible throughout the request lifecycle via helper functions.Best Practices
- Always specify trusted proxies in production environments to prevent header spoofing
- Use CIDR notation for trusted proxy ranges to cover entire subnets
- Validate client IPs after extraction if using them for security decisions
- Prefer RFC 7239 Forwarded header when possible for better standardization
- Disable TrustProxy when not behind a reverse proxy to avoid security issues
Testing
The middleware includes comprehensive test coverage for various scenarios:| Test Case | Description | Expected Behavior |
|---|---|---|
TestNew | Basic middleware functionality with X-Forwarded headers | Correctly parses X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host |
TestWithOptions_TrustedProxies (trusted proxy) | Request from a trusted proxy IP | Honors X-Forwarded-For header and extracts client IP |
TestWithOptions_TrustedProxies (untrusted proxy) | Request from an untrusted proxy IP | Ignores X-Forwarded-For and uses RemoteAddr instead |
TestWithOptions_XForwardedForMultiple | Multiple IPs in X-Forwarded-For chain | Extracts the first (original client) IP from the chain |
TestWithOptions_ForwardedHeader | RFC 7239 Forwarded header parsing | Correctly parses for, proto, and host from Forwarded header |
TestFromContext | Alias function for Get() | FromContext returns same result as Get() |
TestClientIP | ClientIP helper function | Returns parsed client IP as net.IP |
TestProto (with header) | Protocol extraction with X-Forwarded-Proto | Returns “https” when header is present |
TestProto (without header) | Protocol extraction without header | Returns default “http” when no header present |
TestHost | Host extraction from X-Forwarded-Host | Returns forwarded host value |
TestWithOptions_DisableTrustProxy | TrustProxy disabled | Ignores all X-Forwarded headers and uses RemoteAddr |
Security Note
Only enableTrustProxy when behind a trusted proxy. Untrusted clients can spoof these headers.