Phoenix channel get user IP address

How do I get user’s IP address in mount callback when writing a channel? As far as I can see socket struct does not provide it

Then you can use connect_info third arg in connect function.

for me it’s inside the x_headers: [{"x-forwarded-for", "x.y.z.external-ip-here"}]. (in some networks you’ll see multiple IPs comma separated)

It matters if your app has a load balancer in front of it and in which way it’s configured, sometimes you have to explicitly configure it to forward the client’s IP address. So take caution you’re not only seeing internal IPs that belong to your load balancer/forwarder.

Here’s a cross reference to an earlier reply: Phoenix socket/channels security / IP identification

1 Like

The perils of the “real” client IP is a must-read on this topic. Recently posted on hacker news.

Its summary says:

  • When deriving the “real client IP address” from the X-Forwarded-For header, use the rightmost IP in the list.
  • The leftmost IP in the XFF header is commonly considered to be “closest to the client” and “most real”, but it’s trivially spoofable. Don’t use it for anything even close to security-related.
  • When choosing the rightmost XFF IP, make sure to use the last instance of that header.
  • Using special “true client IPs” set by reverse proxies (like X-Real-IP, True-Client-IP, etc.) can be good, but it depends on the a) how the reverse proxy actually sets it, b) whether the reverse proxy sets it if it’s already present/spoofed, and c) how you’ve configured the reverse proxy (sometimes).
  • Any header not specifically set by your reverse proxy cannot be trusted. For example, you must not check the X-Real-IP header if you’re not behind Nginx or something else that always sets it, because you’ll be reading a spoofed value.
  • A lot of rate limiter implementations are using spoofable IPs and are vulnerable to rate limiter escape and memory exhaustion attacks.
4 Likes

I was thinking of writing a plug to do this but found remote_ip the appears to adhere very closely to the considerations above. Thanks to @ajvondrak !

3 Likes

Great to hear about remote_ip! I’m using it with PlugAttack for implementing a simple rate limiter with Metamorphic.

I wrote a simple Medium post on how I implement it with hashing to respect people’s privacy (updated with a link/mention in the remote_ip section to your post above).

Thanks for sharing this and thanks to Alex, Michal, and contributors. :heart: