packages/ak-axum/extract/client_ip: init (#21321)

rissson · rissson · commit 4e4ca82a54a2 · 2026-04-02T19:10:35.000+02:00
Squashed commit of the following: commit 2e5cfb2 Merge: d51d860 a6d543b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:47:43 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip commit a6d543b Merge: da38234 a522b8b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:47:33 2026 +0200 Merge branch 'rust-axum-acceptor-proxy' into rust-axum-extract-trusted-proxy commit a522b8b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:46:57 2026 +0200 fmt Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d51d860 Merge: f74e533 da38234 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:16:50 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit da38234 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:16:30 2026 +0200 add doc Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit f74e533 Merge: 4c84c53 703d5af Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:13:03 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip commit 703d5af Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:12:58 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 4c84c53 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:10:10 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 356c487 Merge: c2bd441 81f314c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:58 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip commit 81f314c Merge: 544f662 5b13d5b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:51 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy commit 5b13d5b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:43 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit c2bd441 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:25 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d350e94 Merge: b42fb09 544f662 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:09:10 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip commit 544f662 Merge: 267336f 5e03610 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:08:55 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy commit 5e03610 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:08:20 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit b42fb09 Merge: a30b345 267336f Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:06:28 2026 +0200 Merge branch 'rust-axum-extract-trusted-proxy' into rust-axum-extract-client-ip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 267336f Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:05:50 2026 +0200 fix layer order Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit a30b345 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:05:32 2026 +0200 wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit e2ab302 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 19:00:34 2026 +0200 add docs Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 89fbf0d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:56:17 2026 +0200 packages/ak-axum/extract/trusted_proxy: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 279610b Merge: 2917970 5c937d7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:54:49 2026 +0200 Merge branch 'rust-axum-trace' into rust-axum-extract-trusted-proxy Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2917970 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:40:31 2026 +0200 packages/ak-axum/accept/proxy_protocol: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d999d80 Merge: 65f33d6 365de9d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:38:50 2026 +0200 Merge branch 'rust-lib-proxy-protocol' into rust-axum-acceptor-proxy Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 65f33d6 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:35:12 2026 +0200 packages/ak-axum/accept/tls: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 116e601 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 18:28:43 2026 +0200 packages/ak-axum/server: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 5c937d7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:40:46 2026 +0200 packages/ak-axum/tracing: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 67ed0dc Merge: b4f06d6 095d38c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:17:40 2026 +0200 Merge branch 'rust-config' into rust-axum Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 365de9d Merge: ab239bf 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:15:04 2026 +0200 Merge branch 'rust-lib-rename' into rust-lib-proxy-protocol Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 095d38c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:11:52 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 7eb07d5 Merge: cb1f86b 507eb2f Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:11:08 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 507eb2f Merge: 6968d59 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:10:37 2026 +0200 Merge branch 'rust-lib-rename' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 0079984 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:08:07 2026 +0200 packages/ak-common: rename from ak-lib Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit b4f06d6 Merge: c08e2a3 cb1f86b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:05:36 2026 +0200 wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit c08e2a3 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 17:05:01 2026 +0200 wip Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 75622e9 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:57:45 2026 +0200 packages/ak-axum: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit cb1f86b Merge: c8fa1b8 a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:53:19 2026 +0200 Merge branch 'fix-rustfmt-config' into rust-config commit 6968d59 Merge: 341c9cc a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:52:55 2026 +0200 Merge branch 'fix-rustfmt-config' into rust-arbiter commit ab239bf Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:39:44 2026 +0200 fix import Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit a3fea5d Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:32:16 2026 +0200 root: fix rustfmt config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 3ef0080 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Wed Apr 1 16:29:35 2026 +0200 packages/ak-lib/tokio/proxy_procotol: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit c8fa1b8 Merge: 48c833c 341c9cc Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Tue Mar 31 13:56:39 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 341c9cc Merge: a1cf0a7 55e555c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Tue Mar 31 13:55:28 2026 +0200 Merge branch 'main' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 48c833c Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:31:04 2026 +0200 lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 681117d Merge: 4c54511 a1cf0a7 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:03:49 2026 +0200 Merge branch 'rust-arbiter' into rust-config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit a1cf0a7 Merge: 1ee6f11 524b788 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 20:03:01 2026 +0200 Merge branch 'rust-lib' into rust-arbiter Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 524b788 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:57:51 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit dc65ab1 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:33:49 2026 +0200 packages/ak-lib: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 4c54511 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:52:55 2026 +0200 move into lib crate Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit d7141df Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:48:34 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2bab7ed Merge: 2bc79f1 1ee6f11 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:43:24 2026 +0200 Merge branch 'rust-arbiter' into rust-config commit 1ee6f11 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:43:21 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 2bc79f1 Merge: e7d3704 27ff039 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:42:58 2026 +0200 Merge branch 'rust-arbiter' into rust-config Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 27ff039 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:40:37 2026 +0200 rename to ak-lib Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit e7d3704 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:32:59 2026 +0200 packages/ak-config: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 1e5cb4b Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 19:32:18 2026 +0200 sort out package versions Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 64b9391 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 17:49:16 2026 +0200 lint Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 57edeec Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 17:48:51 2026 +0200 add tests Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit 5294f8a Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:38:11 2026 +0200 fixup Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> commit f1257d2 Author: Marc 'risson' Schmitt <marc.schmitt@risson.space> Date: Mon Mar 30 16:33:49 2026 +0200 packages/ak-arbiter: init Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space> Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,6 +24,7 @@ axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
 aws-lc-rs = { version = "= 1.16.2", features = ["fips"] }
 axum = { version = "= 0.8.8", features = ["http2", "macros", "ws"] }
 clap = { version = "= 4.6.0", features = ["derive", "env"] }
+client-ip = { version = "0.2.1", features = ["forwarded-header"] }
 colored = "= 3.1.1"
 config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
   "yaml",
diff --git a/packages/ak-axum/Cargo.toml b/packages/ak-axum/Cargo.toml
@@ -13,6 +13,7 @@ publish.workspace = true
 ak-common.workspace = true
 axum-server.workspace = true
 axum.workspace = true
+client-ip.workspace = true
 durstr.workspace = true
 eyre.workspace = true
 futures.workspace = true
diff --git a/packages/ak-axum/src/extract/client_ip.rs b/packages/ak-axum/src/extract/client_ip.rs
@@ -0,0 +1,237 @@
+//! axum extractor and middleware to retrieve the client IP.
+
+use std::net::{IpAddr, Ipv6Addr, SocketAddr};
+
+use axum::{
+    Extension, RequestPartsExt as _,
+    extract::{ConnectInfo, FromRequestParts, Request},
+    http::request::Parts,
+    middleware::Next,
+    response::Response,
+};
+use tracing::{Span, instrument};
+
+use crate::{accept::proxy_protocol::ProxyProtocolState, extract::trusted_proxy::TrustedProxy};
+
+/// Client IP.
+///
+/// The [`client_ip_middleware`] must be added to the router before using this extractor,
+/// otherwise this will result in requests erroring.
+#[derive(Clone, Copy, Debug)]
+pub struct ClientIp(pub IpAddr);
+
+impl<S> FromRequestParts<S> for ClientIp
+where
+    S: Send + Sync,
+{
+    type Rejection = <Extension<Self> as FromRequestParts<S>>::Rejection;
+
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        Extension::<Self>::from_request_parts(parts, state)
+            .await
+            .map(|Extension(client_ip)| client_ip)
+    }
+}
+
+/// Get the client IP from the request.
+#[instrument(skip_all)]
+async fn extract_client_ip(parts: &mut Parts) -> IpAddr {
+    let is_trusted = parts
+        .extract::<TrustedProxy>()
+        .await
+        .unwrap_or(TrustedProxy(false))
+        .0;
+
+    if is_trusted {
+        if let Ok(ip) = client_ip::rightmost_x_forwarded_for(&parts.headers) {
+            return ip;
+        }
+
+        if let Ok(ip) = client_ip::x_real_ip(&parts.headers) {
+            return ip;
+        }
+
+        if let Ok(ip) = client_ip::rightmost_forwarded(&parts.headers) {
+            return ip;
+        }
+
+        if let Ok(Extension(proxy_protocol_state)) =
+            parts.extract::<Extension<ProxyProtocolState>>().await
+            && let Some(header) = &proxy_protocol_state.header
+            && let Some(addr) = header.proxied_address()
+        {
+            return addr.source.ip();
+        }
+    }
+
+    if let Ok(ConnectInfo(addr)) = parts.extract::<ConnectInfo<SocketAddr>>().await {
+        addr.ip()
+    } else {
+        // No connect info means we received a request via a Unix socket, hence localhost
+        // as default.
+        Ipv6Addr::LOCALHOST.into()
+    }
+}
+
+/// Middleware required by the [`ClientIp`] extractor.
+///
+/// Use with [`axum::middleware::from_fn`].
+pub async fn client_ip_middleware(request: Request, next: Next) -> Response {
+    let (mut parts, body) = request.into_parts();
+
+    let client_ip = extract_client_ip(&mut parts).await;
+    Span::current().record("remote", client_ip.to_string());
+    parts.extensions.insert::<ClientIp>(ClientIp(client_ip));
+
+    let request = Request::from_parts(parts, body);
+
+    next.run(request).await
+}
+
+#[cfg(test)]
+mod tests {
+    use std::net::Ipv4Addr;
+
+    use axum::{body::Body, http::Request};
+
+    use super::*;
+
+    #[tokio::test]
+    async fn x_forwarded_for_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-for", "192.0.2.51, 192.0.2.42")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 42),);
+    }
+
+    #[tokio::test]
+    async fn x_real_ip_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-real-ip", "192.0.2.42")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 42),);
+    }
+
+    #[tokio::test]
+    async fn forwarded_header_trusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("forwarded", "for=192.0.2.42")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 42),);
+    }
+
+    #[tokio::test]
+    async fn from_connect_info() {
+        let connect_addr: SocketAddr = "192.0.2.42:34932"
+            .parse()
+            .expect("Failed to parse socket address");
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .extension(ConnectInfo(connect_addr))
+            .extension(TrustedProxy(false))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 42),);
+    }
+
+    #[tokio::test]
+    async fn headers_untrusted() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-for", "192.0.2.42")
+            .extension(TrustedProxy(false))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv6Addr::LOCALHOST);
+    }
+
+    #[tokio::test]
+    async fn priority_order() {
+        // Test that X-Forwarded-For takes priority over other headers when trusted
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-for", "192.0.2.1")
+            .header("x-real-ip", "192.0.2.2")
+            .header("forwarded", "for=192.0.2.3")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 1),);
+    }
+
+    #[tokio::test]
+    async fn no_ip_found() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv6Addr::LOCALHOST);
+    }
+
+    #[tokio::test]
+    async fn ipv6() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-for", "2001:db8::42")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv6Addr::new(0x2001, 0xdb8, 0, 0, 0, 0, 0, 0x42),);
+    }
+
+    #[tokio::test]
+    async fn multiple_x_forwarded_for() {
+        let (mut parts, _) = Request::builder()
+            .uri("http://example.com/path")
+            .header("x-forwarded-for", "192.0.2.1, 192.0.2.2, 192.0.2.3")
+            .extension(TrustedProxy(true))
+            .body(Body::empty())
+            .expect("Failed to create request")
+            .into_parts();
+
+        let client_ip = extract_client_ip(&mut parts).await;
+
+        assert_eq!(client_ip, Ipv4Addr::new(192, 0, 2, 3),);
+    }
+}
diff --git a/packages/ak-axum/src/extract/mod.rs b/packages/ak-axum/src/extract/mod.rs
@@ -1,3 +1,4 @@
 //! axum extractors to get information about a request.
 
+pub mod client_ip;
 pub mod trusted_proxy;
diff --git a/packages/ak-axum/src/router.rs b/packages/ak-axum/src/router.rs
@@ -6,7 +6,7 @@ use tower::ServiceBuilder;
 use tower_http::timeout::TimeoutLayer;
 
 use crate::{
-    extract::trusted_proxy::trusted_proxy_middleware,
+    extract::{client_ip::client_ip_middleware, trusted_proxy::trusted_proxy_middleware},
     tracing::{span_middleware, tracing_middleware},
 };
 
@@ -27,7 +27,8 @@ pub fn wrap_router(router: Router, with_tracing: bool) -> Router {
             timeout,
         ))
         .layer(from_fn(span_middleware))
-        .layer(from_fn(trusted_proxy_middleware));
+        .layer(from_fn(trusted_proxy_middleware))
+        .layer(from_fn(client_ip_middleware));
     if with_tracing {
         router.layer(service_builder.layer(from_fn(tracing_middleware)))
     } else {
diff --git a/packages/ak-axum/src/tracing.rs b/packages/ak-axum/src/tracing.rs
@@ -5,7 +5,7 @@ use std::collections::HashMap;
 use ak_common::config;
 use axum::{extract::Request, middleware::Next, response::Response};
 use tokio::time::Instant;
-use tracing::{Instrument as _, info, info_span, trace};
+use tracing::{Instrument as _, field, info, info_span, trace};
 
 /// Create a [`tracing::Span`] for requests.
 pub(crate) async fn span_middleware(request: Request, next: Next) -> Response {
@@ -27,6 +27,7 @@ pub(crate) async fn span_middleware(request: Request, next: Next) -> Response {
         "request",
         path = %request.uri(),
         method = %request.method(),
+        remote = field::Empty,
         http_headers = ?http_headers,
     );
     next.run(request).instrument(span).await

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
`1`	`1`	`//! axum extractors to get information about a request.`
`2`	`2`
	`3`	`+pub mod client_ip;`
`3`	`4`	`pub mod trusted_proxy;`