feat: ✨ Add caddy client_ip variable parsing

[adrienyhuel]

Resolve #150

[fzipi]

Thanks for your contribution!

Is there a simple way to add tests on this change?

[adrienyhuel]

@fzipi
I don't know how we could test that, it's only in the logs

[fzipi]

Indentation on this code is bad. Maybe try to run go fmt?

Also, this might just deserve a new function call instead of adding it here?

[adrienyhuel]

@fzipi
A function that might include the whole address parsing (from req.RemoteAddr and caddy client_ip variable) ?

[fzipi]

I think it is way more clear now. @M4tteoP can you help me with the review?

[jcchavezs]

Thanks for this @adrienyhuel. I think the unit tests here aren't enough to cover this. Any chance you can create an integration test using caddytest package as in https://github.com/dunglas/frankenphp/blob/2b7b3d1e4b0bb2634936ce463ffe7cf10c5978e3/caddy/caddy_test.go#L18. It can live in coraza_test.go file.

[adrienyhuel]

@jcchavezs I added a simple integration test, is it sufficient ?

[jcchavezs]

Please fix the lint and we can merge it.

[adrienyhuel]

@jcchavezs my bad, I always forget to lint as my IDE always replace tabs with 4 spaces...

[fzipi]

Maybe adding an .editorconfig could help in this repo for that case?

[M4tteoP]

Sorry, I'm a bit late, I'm finally taking a look. Overall looks good to me!

[M4tteoP]

Would it be possible to add a comment on why this line is needed? Also, is it then something that is strictly required to have the client_ip properly working? If so, should we document it in the readme: https://github.com/corazawaf/coraza-caddy?tab=readme-ov-file#plugin-syntax?

[adrienyhuel]

@M4tteoP
This line is needed is you want Caddy to populate client_ip from X-Forwarded-For header, in the case Caddy is behind a reverse proxy.
If you don't provide this config, Caddy will populate client_ip from request.RemoteAddr :

• If client connect directly, it will be the real IP
• if client connect through another proxy (like Cloudflare, or an Ingress in K8s), it will the proxy IP

See : https://caddyserver.com/docs/caddyfile/options#trusted-proxies
I think all users who want real client IP in their access logs know that config.

[M4tteoP]

Awesome, thanks for the explanation!

[adrienyhuel]

Btw, with this pull request, coraza-caddy will use client_ip variable provided by caddy to use in WAF rules and in WAF logs, regardless of how Caddy populate this variable.

[jcchavezs]

@adrienyhuel please add this explanation as a comment in the config.

[adrienyhuel]

@jcchavezs done :)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

lint passed