set engine.TrustedProxies For items that don't use gin.RUN

[yiranzai]

#2632

#2675

#2675 causes the engine.prepareTrustedCIDRS to never execute if gin is not started via gin.RUN().

this pr set engine.TrustedProxies and execute engine.prepareTrustedCIDRS For items that don't use gin.RUN

Our project uses http.Handler to start the service instead of gin.Run

[yiranzai]

The failed is not my reason https://travis-ci.org/github/gin-gonic/gin/jobs/767120791

[codecov]

Codecov Report

Merging #2692 (60dfff7) into master (328d0b8) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #2692      +/-   ##
==========================================
+ Coverage   98.68%   98.69%   +0.01%     
==========================================
  Files          41       41              
  Lines        2054     2070      +16     
==========================================
+ Hits         2027     2043      +16     
  Misses         15       15              
  Partials       12       12              

Impacted Files	Coverage Δ
gin.go	99.18% <100.00%> (+0.05%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 328d0b8...60dfff7. Read the comment docs.

[thinkerou]

please add some unit test, thanks!

[yiranzai]

done

[yiranzai]

I passed the previous unit tests, but I don't understand why the foo bar bar would expect such a result

[estroz]

Why not add this to all Run* methods too?

[yiranzai]

Because the other RUN* didn't exist before.

My core idea was to be able to dynamically adjust the TurstedProxies.

[yiranzai]

Fix bugs caused by #2675

The bugs:

#2693

#2697

[xpunch]

TrustedProxies is set with []string{"0.0.0.0/0"} by default, you'd better give trustedCIDRs a default value. So we don't need to call SetTrustedProxies when we don't need to change it.

[yiranzai]

TrustedProxies is set with []string{"0.0.0.0/0"} by default, you'd better give trustedCIDRs a default value. So we don't need to call SetTrustedProxies when we don't need to change it.

@xpunch

I haven't changed any of the previous logic, this is a PR that avoids #2675 bug in a new way. As for what you said, gin.Run did that

[xpunch]

Your code is used to set custom TrustedProxies when don't use gin.Run.
I think the simplest way is set default value for trustedCIDRs.

func New() *Engine {
	...
        engine.trustedCIDRs = []*net.IPNet{{IP: net.IP{0x0, 0x0, 0x0, 0x0}, Mask: net.IPMask{0x0, 0x0, 0x0, 0x0}}}
        ...
}

Default value of trustedCIDRs is missing when gin.New() called, TrustedProxies is set to []string{"0.0.0.0/0"}, which means trustedCIDRs should also set a default value matchs TrustedProxies.

[evanfuller]

@yiranzai what is the status on this change? I would love to use it.

[yiranzai]

@evanfuller I don't know.

@thinkerou @estroz reviewer?

What else do I need to do?

[atcharles]

The easiest way:
Copy the following to add to the reverse proxy:
proxy_set_header X-Appengine-Remote-Addr $remote_addr;

[FeodorFitsner]

When this fix is planned for release?

[thinkerou]

lgtm, thanks!

[leafduo]

This fix has 2 problems:

1. it's not backward-compatible
2. is doesn't update related documents

[almas1992]

Is there any plan to release this change?

[rbeuque74]

Hello,

Is there any plan to release this change?

I couldn't agree more. Our software have been bumped to v1.7 because we follow security advisories, and you published GHSA-h395-qcrw-5vmq. But at this time, without the release of SetTrustedProxies, we can't use the new version in production.
Would you mind to release v1.7.5 to fix that ?

Thanks,
Romain