This is an automated email from the ASF dual-hosted git repository.
shreemaan-abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new f26baed10 fix(chaitin-waf): use trusted client IP source for WAF
backend (#13339)
f26baed10 is described below
commit f26baed1033bd2ce25079f9d996da29ed251f226
Author: Shreemaan Abhishek <[email protected]>
AuthorDate: Wed May 13 14:59:32 2026 +0800
fix(chaitin-waf): use trusted client IP source for WAF backend (#13339)
* fix(chaitin-waf): use trusted client IP source for WAF backend
The plugin populated `client_ip` sent to the Chaitin WAF backend by
reading `ctx.var.http_x_forwarded_for` directly when `real_client_ip`
is enabled, bypassing nginx's `real_ip` module. Any external client
could supply an arbitrary `X-Forwarded-For` header and have it
forwarded to the WAF unchecked.
Replace the raw-header read with `core.request.get_remote_client_ip`
(realip-aware) when `real_client_ip = true`, and `core.request.get_ip`
(direct TCP peer) when false. This applies the same fix shape used
for wolf-rbac in #13329.
* fix(chaitin-waf): preserve real_client_ip=false in get_conf merge
`get_conf` merged `real_client_ip` with `or`, which silently fell
back to the default `true` whenever the user explicitly set `false`,
making the toggle ineffective. Replace with an explicit nil check so
both `true` and `false` overrides are honored.
Also tighten the existing `real_client_ip = false` test to assert the
chosen `client_ip` (not just the response), and add a regression case
that verifies the `false` branch wins over `set_real_ip_from`-trusted
`X-Forwarded-For` rewrites.
* docs(chaitin-waf): clarify how real_client_ip selects the client IP
Describe the two `config.real_client_ip` modes in terms of the value
the plugin sends to the WAF service: APISIX's resolved client IP
(true) versus the IP of the directly connected peer (false). The
previous wording referenced only `X-Forwarded-For`, which no longer
matches the resolution path.
---
apisix/plugins/chaitin-waf.lua | 13 ++--
docs/en/latest/plugins/chaitin-waf.md | 4 +-
docs/zh/latest/plugins/chaitin-waf.md | 4 +-
t/plugin/chaitin-waf.t | 114 ++++++++++++++++++++++++++++++++++
4 files changed, 127 insertions(+), 8 deletions(-)
diff --git a/apisix/plugins/chaitin-waf.lua b/apisix/plugins/chaitin-waf.lua
index 6c82c4a70..ed364bb9a 100644
--- a/apisix/plugins/chaitin-waf.lua
+++ b/apisix/plugins/chaitin-waf.lua
@@ -280,7 +280,9 @@ local function get_conf(conf, metadata)
t.req_body_size = metadata.config.req_body_size
t.keepalive_size = metadata.config.keepalive_size
t.keepalive_timeout = metadata.config.keepalive_timeout
- t.real_client_ip = metadata.config.real_client_ip or t.real_client_ip
+ if metadata.config.real_client_ip ~= nil then
+ t.real_client_ip = metadata.config.real_client_ip
+ end
end
if conf.config then
@@ -290,7 +292,9 @@ local function get_conf(conf, metadata)
t.req_body_size = conf.config.req_body_size
t.keepalive_size = conf.config.keepalive_size
t.keepalive_timeout = conf.config.keepalive_timeout
- t.real_client_ip = conf.config.real_client_ip or t.real_client_ip
+ if conf.config.real_client_ip ~= nil then
+ t.real_client_ip = conf.config.real_client_ip
+ end
end
t.mode = conf.mode or metadata.mode or t.mode
@@ -343,10 +347,11 @@ local function do_access(conf, ctx)
end
if t.real_client_ip then
- t.client_ip = ctx.var.http_x_forwarded_for or ctx.var.remote_addr
+ t.client_ip = core.request.get_remote_client_ip(ctx)
else
- t.client_ip = ctx.var.remote_addr
+ t.client_ip = core.request.get_ip(ctx)
end
+ core.log.info("chaitin-waf client_ip: ", t.client_ip)
local start_time = ngx_now() * 1000
local ok, err, result = t1k.do_access(t, false)
diff --git a/docs/en/latest/plugins/chaitin-waf.md
b/docs/en/latest/plugins/chaitin-waf.md
index 2f3e357dc..16a658791 100644
--- a/docs/en/latest/plugins/chaitin-waf.md
+++ b/docs/en/latest/plugins/chaitin-waf.md
@@ -64,7 +64,7 @@ The Plugin can add the following response headers, depending
on the configuratio
| config.req_body_size | integer | false | 1024 |
| The maximum allowed request body size, in KB. |
| config.keepalive_size | integer | false | 256 |
| The maximum number of idle connections to the WAF detection
service that can be maintained concurrently. |
| config.keepalive_timeout | integer | false | 60000 |
| The idle connection timeout for the WAF service, in milliseconds.
|
-| config.real_client_ip | boolean | false | true |
| If true, the client IP is obtained from the `X-Forwarded-For`
header. If false, the Plugin uses the client IP from the connection. |
+| config.real_client_ip | boolean | false | true |
| If true, the Plugin sends APISIX's resolved client IP to the WAF
service (the same value used elsewhere in APISIX, derived from the connection
and `apisix.trusted_addresses`). If false, the Plugin sends the IP of the peer
directly connected to APISIX. |
## Plugin Metadata
@@ -81,7 +81,7 @@ The Plugin can add the following response headers, depending
on the configuratio
| config.req_body_size | integer | False | 1024 |
| The maximum allowed request body size, in KB. |
| config.keepalive_size | integer | False | 256 |
| The maximum number of idle connections to the WAF detection service that can
be maintained concurrently. |
| config.keepalive_timeout | integer | False | 60000 |
| The idle connection timeout for the WAF service, in milliseconds. |
-| config.real_client_ip | boolean | False | true |
| If true, the client IP is obtained from the `X-Forwarded-For` header. If
false, the Plugin uses the client IP from the connection. |
+| config.real_client_ip | boolean | False | true |
| If true, the Plugin sends APISIX's resolved client IP to the WAF service (the
same value used elsewhere in APISIX, derived from the connection and
`apisix.trusted_addresses`). If false, the Plugin sends the IP of the peer
directly connected to APISIX. |
## Examples
diff --git a/docs/zh/latest/plugins/chaitin-waf.md
b/docs/zh/latest/plugins/chaitin-waf.md
index a90cae245..7a6193f7d 100644
--- a/docs/zh/latest/plugins/chaitin-waf.md
+++ b/docs/zh/latest/plugins/chaitin-waf.md
@@ -64,7 +64,7 @@ description: chaitin-waf 插件与长亭雷池 WAF 集成,以检测和阻止
| config.req_body_size | integer | 否 | 1024 |
| 允许的最大请求体大小,单位为 KB。 |
| config.keepalive_size | integer | 否 | 256 |
| 可同时维持的与 WAF 检测服务的空闲连接数上限。 |
| config.keepalive_timeout | integer | 否 | 60000 |
| 与 WAF 服务的空闲连接超时时间,单位为毫秒。 |
-| config.real_client_ip | boolean | 否 | true |
| 若为 true,则从 `X-Forwarded-For` 请求头中获取客户端 IP。若为 false,则插件使用连接中的客户端
IP。 |
+| config.real_client_ip | boolean | 否 | true |
| 若为 true,则插件将 APISIX 解析得到的客户端 IP(与 APISIX 其他地方使用的相同,由连接信息以及
`apisix.trusted_addresses` 共同决定)发送给 WAF 服务。若为 false,则插件发送与 APISIX 直接建立连接的对端 IP。
|
## 插件元数据
@@ -81,7 +81,7 @@ description: chaitin-waf 插件与长亭雷池 WAF 集成,以检测和阻止
| config.req_body_size | integer | 否 | 1024 |
| 允许的最大请求体大小,单位为 KB。 |
| config.keepalive_size | integer | 否 | 256 |
| 可同时维持的与 WAF 检测服务的空闲连接数上限。 |
| config.keepalive_timeout | integer | 否 | 60000 |
| 与 WAF 服务的空闲连接超时时间,单位为毫秒。 |
-| config.real_client_ip | boolean | 否 | true |
| 若为 true,则从 `X-Forwarded-For` 请求头中获取客户端 IP;若为 false,则插件使用连接中的客户端 IP。 |
+| config.real_client_ip | boolean | 否 | true |
| 若为 true,则插件将 APISIX 解析得到的客户端 IP(与 APISIX 其他地方使用的相同,由连接信息以及
`apisix.trusted_addresses` 共同决定)发送给 WAF 服务。若为 false,则插件发送与 APISIX 直接建立连接的对端 IP。
|
## 示例
diff --git a/t/plugin/chaitin-waf.t b/t/plugin/chaitin-waf.t
index ebff234ac..df7f7ed36 100644
--- a/t/plugin/chaitin-waf.t
+++ b/t/plugin/chaitin-waf.t
@@ -405,3 +405,117 @@ hello world
X-APISIX-CHAITIN-WAF: yes
X-APISIX-CHAITIN-WAF-ACTION: pass
X-APISIX-CHAITIN-WAF-STATUS: 200
+--- error_log
+chaitin-waf client_ip: 127.0.0.1
+--- no_error_log
+chaitin-waf client_ip: 1.2.3.4
+
+
+
+=== TEST 12: real_client_ip = false ignores trusted X-Forwarded-For
+--- http_config
+real_ip_header X-Forwarded-For;
+set_real_ip_from 127.0.0.1;
+--- request
+GET /hello
+--- more_headers
+X-Forwarded-For: 192.0.2.10
+trigger: true
+--- error_code: 200
+--- error_log
+chaitin-waf client_ip: 127.0.0.1
+--- no_error_log
+chaitin-waf client_ip: 192.0.2.10
+
+
+
+=== TEST 13: real_client_ip = true prepare
+--- config
+ location /do {
+ content_by_lua_block {
+ local t = require("lib.test_admin").test
+
+ local code, body = t('/apisix/admin/plugin_metadata/chaitin-waf',
+ ngx.HTTP_PUT,
+ [[{
+ "nodes": [
+ {
+ "host": "127.0.0.1",
+ "port": 8088
+ }
+ ]
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.print(body)
+ end
+
+ local code, body = t('/apisix/admin/routes/1',
+ ngx.HTTP_PUT,
+ [[{
+ "methods": ["GET"],
+ "plugins": {
+ "chaitin-waf": {
+ "match": [
+ {
+ "vars": [
+ ["http_trigger", "==", "true"]
+ ]
+ }
+ ],
+ "config": {
+ "real_client_ip": true
+ }
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "127.0.0.1:1980": 1
+ },
+ "type": "roundrobin"
+ },
+ "uri": "/*"
+ }]]
+ )
+ if code >= 300 then
+ ngx.status = code
+ return ngx.print(body)
+ end
+ ngx.say("passed")
+ }
+ }
+--- response_body
+passed
+
+
+
+=== TEST 14: client_ip from trusted X-Forwarded-For source
+--- http_config
+real_ip_header X-Forwarded-For;
+set_real_ip_from 127.0.0.1;
+--- request
+GET /hello
+--- more_headers
+X-Forwarded-For: 192.0.2.10
+trigger: true
+--- error_code: 200
+--- error_log
+chaitin-waf client_ip: 192.0.2.10
+
+
+
+=== TEST 15: spoofed X-Forwarded-For from untrusted source is ignored
+--- http_config
+real_ip_header X-Forwarded-For;
+set_real_ip_from 192.0.2.1;
+--- request
+GET /hello
+--- more_headers
+X-Forwarded-For: 192.0.2.10
+trigger: true
+--- error_code: 200
+--- error_log
+chaitin-waf client_ip: 127.0.0.1
+--- no_error_log
+chaitin-waf client_ip: 192.0.2.10
