apache · spacewander · May 13, 2022 · May 5, 2022 · May 6, 2022 · May 6, 2022
diff --git a/apisix/plugins/real-ip.lua b/apisix/plugins/real-ip.lua
@@ -15,12 +15,16 @@
 -- limitations under the License.
 --
 local core = require("apisix.core")
+local ngx_re_split = require("ngx.re").split
 local is_apisix_or, client = pcall(require, "resty.apisix.client")
 local str_byte = string.byte
 local str_sub = string.sub
 local ipairs = ipairs
 local type = type
 
+local lrucache = core.lrucache.new({
+    type = "plugin",
+})
 
 local schema = {
     type = "object",
@@ -33,6 +37,10 @@ local schema = {
         source = {
             type = "string",
             minLength = 1
+        },
+        recursive = {
+            type = "boolean",
+            default = false
         }
     },
     required = {"source"},
@@ -67,6 +75,22 @@ function _M.check_schema(conf)
 end
 
 
+local function addr_match(conf, ctx, addr)
+    if not conf.trusted_addresses then
+        return false
+    end
+
+    local matcher, err = core.lrucache.plugin_ctx(lrucache, ctx, nil,
+                                                  core.ip.create_ip_matcher, conf.trusted_addresses)
+    if not matcher then
+        core.log.error("failed to create ip matcher: ", err)
+        return false
+    end
+
+    return matcher:match(addr)
+end
+
+
 local function get_addr(conf, ctx)
     if conf.source == "http_x_forwarded_for" then
         -- use the last address from X-Forwarded-For header
@@ -84,6 +108,17 @@ local function get_addr(conf, ctx)
             return addrs
         end
 
+        if conf.recursive and conf.trusted_addresses then
+            local split_addrs = ngx_re_split(addrs, ",\\s*", "jo")
+            for i = #split_addrs, 2, -1 do
+                if not addr_match(conf, ctx, split_addrs[i]) then
+                    return split_addrs[i]
+                end
+            end
+
+            return split_addrs[1]
+        end
+
         for i = idx + 1, #addrs do
             if str_byte(addrs, i) == str_byte(" ") then
                 idx = idx + 1
@@ -105,13 +140,8 @@ function _M.rewrite(conf, ctx)
     end
 
     if conf.trusted_addresses then
-        if not conf.matcher then
-            conf.matcher = core.ip.create_ip_matcher(conf.trusted_addresses)
-        end
-
         local remote_addr = ctx.var.remote_addr
-        local trusted = conf.matcher:match(remote_addr)
-        if not trusted then
+        if not addr_match(conf, ctx, remote_addr) then
             return
         end
     end

diff --git a/docs/en/latest/plugins/real-ip.md b/docs/en/latest/plugins/real-ip.md
@@ -41,10 +41,11 @@ This Plugin requires APISIX to run on [APISIX-Base](../how-to-build.md#step-6-bu
 
 ## Attributes
 
-| Name              | Type          | Required | Valid values                                                    | Description                                                                       |
-|-------------------|---------------|----------|-----------------------------------------------------------------|-----------------------------------------------------------------------------------|
-| source            | string        | True     | Any Nginx variable like `arg_realip` or `http_x_forwarded_for`. | Dynamically sets the client's IP address and an optional port from APISIX's view. |
-| trusted_addresses | array[string] | False    | List of IPs or CIDR ranges.                                     | Dynamically sets the `set_real_ip_from` field.                                    |
+| Name              | Type          | Required | Valid values                                                    | Description                                                                                                                                                                                                                                                                                                                                                |
+|-------------------|---------------|----------|-----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| source            | string        | True     | Any Nginx variable like `arg_realip` or `http_x_forwarded_for`. | Dynamically sets the client's IP address and an optional port from APISIX's view.                                                                                                                                                                                                                                                                          |
+| trusted_addresses | array[string] | False    | List of IPs or CIDR ranges.                                     | Dynamically sets the `set_real_ip_from` field.                                                                                                                                                                                                                                                                                                             |
+| recursive         | boolean       | False    | True to enable, false to disable, default is false              | If recursive search is disabled, the original client address that matches one of the trusted addresses is replaced by the last address sent in the configured `source`. If recursive search is enabled, the original client address that matches one of the trusted addresses is replaced by the last non-trusted address sent in the configured `source`. |
 
 :::note
 

diff --git a/docs/zh/latest/plugins/real-ip.md b/docs/zh/latest/plugins/real-ip.md
@@ -42,9 +42,10 @@ description: 本文介绍了关于 Apache APISIX `real-ip` 插件的基本信息
 ## 属性
 
 | 名称              | 类型          | 必选项 | 有效值                                                       | 描述                                                                                     |
-|-------------------|---------------|-------|-------------------------------------------------------------|----------------------------------------------------------------------|
-| source            | string        | 是    | 任何 NGINX 变量，如 `arg_realip` 或 `http_x_forwarded_for` 。 | 动态设置客户端的 IP 地址和端口。如果该值不包含端口，则不会更改客户端的端口。|
-| trusted_addresses | array[string] | 否    | IP 或 CIDR 范围列表。                                         | 动态设置 `set_real_ip_from` 字段。                                    |
+|-------------------|---------------|--|-------------------------------------------------------------|----------------------------------------------------------------------|
+| source            | string        | 是 | 任何 NGINX 变量，如 `arg_realip` 或 `http_x_forwarded_for` 。 | 动态设置客户端的 IP 地址和端口。如果该值不包含端口，则不会更改客户端的端口。|
+| trusted_addresses | array[string] | 否 | IP 或 CIDR 范围列表。                                         | 动态设置 `set_real_ip_from` 字段。                                    |
+| recursive         | boolean       | 否 | true 或者 false，默认是 false                                | 如果禁用递归搜索，则与受信任地址之一匹配的原始客户端地址将替换为配置的`source`中发送的最后一个地址。如果启用递归搜索，则与受信任地址之一匹配的原始客户端地址将替换为配置的`source`中发送的最后一个非受信任地址。 |
 
 :::note
 

diff --git a/t/plugin/real-ip.t b/t/plugin/real-ip.t
@@ -427,3 +427,50 @@ passed
 GET /hello
 --- more_headers
 X-Forwarded-For: 1.1.1.1
+
+
+
+=== TEST 22: X-Forwarded-For and recursive
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "uri": "/hello",
+                    "upstream": {
+                        "type": "roundrobin",
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        }
+                    },
+                    "plugins": {
+                        "real-ip": {
+                            "trusted_addresses": ["192.128.0.0/16", "127.0.0.0/24"],
+                            "source": "http_x_forwarded_for",
+                            "recursive": true
+                        },
+                        "ip-restriction": {
+                            "whitelist": ["1.1.1.1"]
+                        }
+                    }
+            }]]
+            )
+
+        if code >= 300 then
+            ngx.status = code
+        end
+        ngx.say(body)
+    }
+}
+--- response_body
+passed
+
+
+
+=== TEST 23: hit
+--- request
+GET /hello
+--- more_headers
+X-Forwarded-For: 1.1.1.1, 192.128.1.1, 127.0.0.1