MatchWithError returns true if r matches m.
(r *http.Request)
| 260 | |
| 261 | // MatchWithError returns true if r matches m. |
| 262 | func (m MatchClientIP) MatchWithError(r *http.Request) (bool, error) { |
| 263 | // if handshake is not finished, we infer 0-RTT that has |
| 264 | // not verified remote IP; could be spoofed, so we throw |
| 265 | // HTTP 425 status to tell the client to try again after |
| 266 | // the handshake is complete |
| 267 | if r.TLS != nil && !r.TLS.HandshakeComplete { |
| 268 | return false, Error(http.StatusTooEarly, fmt.Errorf("TLS handshake not complete, remote IP cannot be verified")) |
| 269 | } |
| 270 | |
| 271 | address := GetVar(r.Context(), ClientIPVarKey).(string) |
| 272 | clientIP, zoneID, err := parseIPZoneFromString(address) |
| 273 | if err != nil { |
| 274 | m.logger.Error("getting client IP", zap.Error(err)) |
| 275 | return false, nil |
| 276 | } |
| 277 | matches, zoneFilter := matchIPByCidrZones(clientIP, zoneID, m.cidrs, m.zones) |
| 278 | if !matches && !zoneFilter { |
| 279 | m.logger.Debug("zone ID from client IP did not match", zap.String("zone", zoneID)) |
| 280 | } |
| 281 | return matches, nil |
| 282 | } |
| 283 | |
| 284 | func provisionCidrsZonesFromRanges(ranges []string) ([]*netip.Prefix, []string, error) { |
| 285 | cidrs := []*netip.Prefix{} |
no test coverage detected