Any way to reliably get an incoming request's real IP address for rate-limiting? (I.e. prevent `x-forwarded-for` spoofing?)

I’m trying to rate-limit by IP address (or, more accurately, by a “prefix” of the IP address, since a user can easily get access to many, many IPv6 addresses), and I think one way to do this would be to sort of “ping” two services that echo a request back so you can determine how many of the “trailing” IP addresses are from proxies/gateways, and then the IP directly before that would be the real user’s IP? Seems a bit involved though, so I’m wondering if there’s an easier way. Is there perhaps a header that can Glitch attaches to give me a request’s real IP address, reliably?

Thanks!

Hey @joe, the X-Forwarded-For header is commonly used to communicate the originating IP address, and Glitch’s load balancers and proxies follow that model, so you should be able to inspect that header to get the client’s IP address.

Hope this helps!

Hey @cori, the problem with that is that, as I mentioned in the original post, it is spoofable - a user can simply send a request with an x-forwarded-for header and then they’re basically pretending that they’re a gateway/proxy. I did propose a solution of that in my original post, but I was just wondering if there’s an easier way (e.g. a header that your gateway adds like “x-real-ip” that I can use). If not, no worries - just wanted to see if there was to potentially save me some time and effort.

Hey @joe - sorry I missed that context from your original question. You’re correct that if someone provides the X-Forwarded-For header in their request, the contents of that header is appended to the list of IPs already present. Unfortunately Glitch doesn’t provide any better information than what’s in that header - sorry for the inconvenience!

One thing that might help is that providing a custom X-Forwarded-For value doesn’t remove the actual upstream IP address from the list, it just adds that value to the list. So if you were trying to filter all requests from within 3.35.0.0/16 for instance, 3.35 would still show up in that list even if your target included 192.168.0.0 in their request.

2 Likes

No worries! Thanks for you help :slight_smile:

1 Like