client-ip
A 0-dependency ring middleware for determining a request's real client IP address from HTTP headers
X-Forwarded-For and other client IP headers are often used
incorrectly, resulting in bugs
and security vulnerabilities. This library provides strategies for extracting
the correct client IP based on your network configuration.
It is based on the golang reference implementation realclientip/realclientip-go.
Quicky feature list:
- ring middleware determining the client's ip address
- 0 dependency IP address string parsing with guaranteed no trips to the hosts' DNS services, which can block and timeout (unlike Java's
InetAddress/getByName) - rightmost-ish strategies support the
X-Forwarded-ForandForwarded(RFC 7239) headers. - IPv6 zone identifiers support
Note that there is no dependency on ring, the public api could also be used for pedestal or sieppari-style interceptors.
Installation
;; deps.edn
{:deps {com.outskirtslabs/client-ip {:mvn/version "0.1.0"}}}
;; Leiningen
[com.outskirtslabs/client-ip "0.1.0"]
Quick Start
(ns myapp.core
(:require [ol.client-ip.core :as client-ip]
[ol.client-ip.strategy :as strategy]))
;; Simple case: behind a trusted proxy that sets X-Real-IP
(def app
(-> handler
(client-ip/wrap-client-ip
{:strategy (strategy/single-ip-header-strategy "x-real-ip")})))
;; The client IP is now available in the request
(defn handler [request]
(let [client-ip (:ol/client-ip request)]
{:status 200
:body (str "Your IP is: " client-ip)}))
π For detailed guidance on choosing strategies, see doc/usage.md.
Choosing the wrong strategy can result in ip address spoofing security vulnerabilities.
Recommended Reading
You think it is an easy question:
I have an HTTP application, I just want to know the IP address of my client.
But who is the client?
The computer on the other end of the network connection?
But which network connection? The one connected to your http application is probably a reverse proxy or load balancer
Well I mean the "user's ip address"
It ain't so easy kid.
There are many good articles on the internet that discuss the perils and pitfalls of trying to answer this deceptively simple question.
You should read one or two of them to get an idea of the complexity in this space. Libraries, like this one, cannot hide the complexity from you, there is no abstraction nor encapsulation nor "default best practice".
Below are some of those good articles:
- MDN: X-Forwarded-For: Security and privacy concerns
- The perils of the βrealβ client IP (archive link)
- Rails IP Spoofing Vulnerabilities and Protection (archive link)
- ol.client-ip: A Clojure Library to Prevent IP Spoofing
Security
See here for security advisories or to report a security vulnerability.
License
Copyright Β© 2025 Casey Link casey@outskirtslabs.com
Distributed under the MIT License
Can you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| β | Move to previous article |
| β | Move to next article |
| Ctrl+/ | Jump to the search field |