Skip to content

Commit 1fe8ed8

Browse files
risssonrissson
committed
packages/ak-axum/extract/trusted_proxy: init (#21320)
Squashed commit of the following: commit a6d543b Merge: da38234 a522b8b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:47:33 2026 +0200 Merge branch 'rust-axum-acceptor-proxy' into rust-axum-extract-trusted-proxy commit a522b8b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:46:57 2026 +0200 fmt Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit da38234 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:16:30 2026 +0200 add doc Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 703d5af Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:12:58 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 81f314c Merge: 544f662 5b13d5b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:51 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy commit 5b13d5b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:43 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 544f662 Merge: 267336f 5e03610 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:08:55 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy commit 5e03610 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:08:20 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 267336f Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:05:50 2026 +0200 fix layer order Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit e2ab302 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:00:34 2026 +0200 add docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 89fbf0d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:56:17 2026 +0200 packages/ak-axum/extract/trusted_proxy: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 279610b Merge: 2917970 5c937d7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:54:49 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2917970 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:40:31 2026 +0200 packages/ak-axum/accept/proxy_protocol: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d999d80 Merge: 65f33d6 365de9d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:38:50 2026 +0200 Merge branch 'rust-lib-proxy-protocol' into rust-axum-acceptor-proxy Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 65f33d6 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:35:12 2026 +0200 packages/ak-axum/accept/tls: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 116e601 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:28:43 2026 +0200 packages/ak-axum/server: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 5c937d7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:40:46 2026 +0200 packages/ak-axum/tracing: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 67ed0dc Merge: b4f06d6 095d38c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:17:40 2026 +0200 Merge branch 'rust-config' into rust-axum Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 365de9d Merge: ab239bf 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:15:04 2026 +0200 Merge branch 'rust-lib-rename' into rust-lib-proxy-protocol Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 095d38c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:11:52 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 7eb07d5 Merge: cb1f86b 507eb2f Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:11:08 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 507eb2f Merge: 6968d59 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:10:37 2026 +0200 Merge branch 'rust-lib-rename' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:08:07 2026 +0200 packages/ak-common: rename from ak-lib Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit b4f06d6 Merge: c08e2a3 cb1f86b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:05:36 2026 +0200 wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit c08e2a3 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:05:01 2026 +0200 wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 75622e9 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:57:45 2026 +0200 packages/ak-axum: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit cb1f86b Merge: c8fa1b8 a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:53:19 2026 +0200 Merge branch 'fix-rustfmt-config' into rust-config commit 6968d59 Merge: 341c9cc a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:52:55 2026 +0200 Merge branch 'fix-rustfmt-config' into rust-arbiter commit ab239bf Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:39:44 2026 +0200 fix import Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:32:16 2026 +0200 root: fix rustfmt config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 3ef0080 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:29:35 2026 +0200 packages/ak-lib/tokio/proxy_procotol: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit c8fa1b8 Merge: 48c833c 341c9cc Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Tue Mar 31 13:56:39 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 341c9cc Merge: a1cf0a7 55e555c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Tue Mar 31 13:55:28 2026 +0200 Merge branch 'main' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 48c833c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:31:04 2026 +0200 lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 681117d Merge: 4c54511 a1cf0a7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:03:49 2026 +0200 Merge branch 'rust-arbiter' into rust-config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit a1cf0a7 Merge: 1ee6f11 524b788 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:03:01 2026 +0200 Merge branch 'rust-lib' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 524b788 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:57:51 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit dc65ab1 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:33:49 2026 +0200 packages/ak-lib: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 4c54511 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:52:55 2026 +0200 move into lib crate Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d7141df Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:48:34 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2bab7ed Merge: 2bc79f1 1ee6f11 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:43:24 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 1ee6f11 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:43:21 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2bc79f1 Merge: e7d3704 27ff039 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:42:58 2026 +0200 Merge branch 'rust-arbiter' into rust-config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 27ff039 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:40:37 2026 +0200 rename to ak-lib Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit e7d3704 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:32:59 2026 +0200 packages/ak-config: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 1e5cb4b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:32:18 2026 +0200 sort out package versions Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 64b9391 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 17:49:16 2026 +0200 lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 57edeec Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 17:48:51 2026 +0200 add tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 5294f8a Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:38:11 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit f1257d2 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:33:49 2026 +0200 packages/ak-arbiter: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
1 parent 2ee2559 commit 1fe8ed8

8 files changed

Lines changed: 87 additions & 2 deletions

File tree

Cargo.lock

Lines changed: 4 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ durstr = "= 0.5.1"
3535
eyre = "= 0.6.12"
3636
futures = "= 0.3.32"
3737
glob = "= 0.3.3"
38+
ipnet = { version = "= 2.12.0", features = ["serde"] }
3839
json-subscriber = "= 0.2.8"
3940
nix = { version = "= 0.31.2", features = ["signal"] }
4041
notify = "= 8.2.0"

packages/ak-axum/src/extract/mod.rs

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
//! axum extractors to get information about a request.
2+
3+
pub mod trusted_proxy;

packages/ak-axum/src/extract/trusted_proxy.rs

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
//! axum extractor and middleware to check if a request comes from a trusted proxy.
2+
3+
use std::net::SocketAddr;
4+
5+
use ak_common::config;
6+
use axum::{
7+
Extension, RequestPartsExt as _,
8+
extract::{ConnectInfo, FromRequestParts, Request},
9+
http::request::Parts,
10+
middleware::Next,
11+
response::Response,
12+
};
13+
use tracing::{instrument, trace};
14+
15+
/// Whether the request comes from a trusted proxy.
16+
///
17+
/// The [`trusted_proxy_middleware`] must be added to the router before using this extractor,
18+
/// otherwise this will result in requests erroring.
19+
#[derive(Clone, Copy, Debug)]
20+
pub struct TrustedProxy(pub bool);
21+
22+
impl<S> FromRequestParts<S> for TrustedProxy
23+
where
24+
S: Send + Sync,
25+
{
26+
type Rejection = <Extension<Self> as FromRequestParts<S>>::Rejection;
27+
28+
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
29+
Extension::<Self>::from_request_parts(parts, state)
30+
.await
31+
.map(|Extension(trusted_proxy)| trusted_proxy)
32+
}
33+
}
34+
35+
/// Check whether the request comes from a trusted proxy.
36+
#[instrument(skip_all)]
37+
async fn extract_trusted_proxy(parts: &mut Parts) -> bool {
38+
if let Ok(ConnectInfo(addr)) = parts.extract::<ConnectInfo<SocketAddr>>().await {
39+
let trusted_proxy_cidrs = &config::get().listen.trusted_proxy_cidrs;
40+
41+
for trusted_net in trusted_proxy_cidrs {
42+
if trusted_net.contains(&addr.ip()) {
43+
trace!(
44+
?addr,
45+
?trusted_net,
46+
"connection is now considered coming from a trusted proxy"
47+
);
48+
return true;
49+
}
50+
}
51+
}
52+
false
53+
}
54+
55+
/// Middleware required by the [`TrustedProxy`] extractor.
56+
///
57+
/// Use with [`axum::middleware::from_fn`].
58+
pub async fn trusted_proxy_middleware(request: Request, next: Next) -> Response {
59+
let (mut parts, body) = request.into_parts();
60+
61+
let trusted_proxy = extract_trusted_proxy(&mut parts).await;
62+
parts
63+
.extensions
64+
.insert::<TrustedProxy>(TrustedProxy(trusted_proxy));
65+
66+
let request = Request::from_parts(parts, body);
67+
68+
next.run(request).await
69+
}

packages/ak-axum/src/lib.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
33
pub mod accept;
44
pub mod error;
5+
pub mod extract;
56
pub mod router;
67
pub mod server;
78
pub mod tracing;

packages/ak-axum/src/router.rs

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,10 @@ use axum::{Router, http::StatusCode, middleware::from_fn};
55
use tower::ServiceBuilder;
66
use tower_http::timeout::TimeoutLayer;
77

8-
use crate::tracing::{span_middleware, tracing_middleware};
8+
use crate::{
9+
extract::trusted_proxy::trusted_proxy_middleware,
10+
tracing::{span_middleware, tracing_middleware},
11+
};
912

1013
/// Wrap a [`Router`] with common middlewares.
1114
///
@@ -23,7 +26,8 @@ pub fn wrap_router(router: Router, with_tracing: bool) -> Router {
2326
StatusCode::REQUEST_TIMEOUT,
2427
timeout,
2528
))
26-
.layer(from_fn(span_middleware));
29+
.layer(from_fn(span_middleware))
30+
.layer(from_fn(trusted_proxy_middleware));
2731
if with_tracing {
2832
router.layer(service_builder.layer(from_fn(tracing_middleware)))
2933
} else {

packages/ak-common/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ config-rs.workspace = true
2222
console-subscriber.workspace = true
2323
eyre.workspace = true
2424
glob.workspace = true
25+
ipnet.workspace = true
2526
json-subscriber.workspace = true
2627
notify.workspace = true
2728
pin-project-lite.workspace = true

packages/ak-common/src/config/schema.rs

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
use std::{collections::HashMap, net::SocketAddr, num::NonZeroUsize};
22

3+
use ipnet::IpNet;
34
use serde::{Deserialize, Serialize};
45

56
#[derive(Debug, Clone, Serialize, Deserialize)]
@@ -48,6 +49,7 @@ pub struct ListenConfig {
4849
pub http: Vec<SocketAddr>,
4950
pub metrics: Vec<SocketAddr>,
5051
pub debug_tokio: SocketAddr,
52+
pub trusted_proxy_cidrs: Vec<IpNet>,
5153
}
5254

5355
#[derive(Debug, Clone, Serialize, Deserialize)]

0 commit comments

Comments
 (0)