Skip to content

fix(ci): replace deprecated chi RealIP + rename gomodguard linter#30

Merged
aanogueira merged 2 commits into
mainfrom
andre.nogueira/fix-ci-realip-deprecation
May 26, 2026
Merged

fix(ci): replace deprecated chi RealIP + rename gomodguard linter#30
aanogueira merged 2 commits into
mainfrom
andre.nogueira/fix-ci-realip-deprecation

Conversation

@aanogueira
Copy link
Copy Markdown
Contributor

@aanogueira aanogueira commented May 26, 2026

Summary

Two Go-side fixes that were authored as part of #28 but didn't make it into the merge (the PR was merged before these two later commits were pushed). Same content; re-opening cleanly off main.

1. `chi` middleware.RealIP deprecated

Deprecated for spoofing the X-Forwarded-For header even when upstreams don't strip it (GHSA-3fxj-6jh8-hvhx, GHSA-rjr7-jggh-pgcp, GHSA-9g5q-2w5x-hmxf), failing the `go-checks` lint job.

Replace with `internal/middleware.RealIP`, which only honors XFF when the immediate TCP peer is in a configured trusted-proxy CIDR set:

  • New `server.trusted_proxies` config field (list of CIDRs / bare IPs)
  • Empty config = no-op middleware; r.RemoteAddr keeps the actual TCP peer (safe default)
  • Indexer's internal HTTP server doesn't need client-IP rewriting → line removed there entirely
  • 12 unit tests covering: untrusted peer, trusted peer with single XFF, multi-hop chain, all-trusted edge case, IPv6 parsing
  • `mustParseTrustedProxies` panics on invalid CIDR at startup so misconfiguration fails fast

2. `gomodguard` linter renamed to `gomodguard_v2`

golangci-lint v2.12.0 deprecation. Explicit enable + disable for the old name silences the warning.

Verification (locally on this branch)

  • `go build ./...` ✓
  • `go test ./internal/middleware/... ./internal/config/...` — 33 pass ✓
  • `golangci-lint run ./...` — no issues ✓

Test plan

  • `go-checks` passes (lint + tests)
  • All `docker-build` jobs still pass (no Dockerfile change here)

Follow-up

  • Once deployed behind ingress, set `server.trusted_proxies` to the ingress/LB CIDR in production config so request logs show the real client IP again

aanogueira added 2 commits May 26, 2026 10:38
@aanogueira
fix(api): replace deprecated chi RealIP with trusted-proxy aware impl
4a03a15 
chi's middleware.RealIP was deprecated for spoofing the X-Forwarded-For
header even when upstreams don't strip it (GHSA-3fxj-6jh8-hvhx,
GHSA-rjr7-jggh-pgcp, GHSA-9g5q-2w5x-hmxf), failing go-checks lint.

Replace with internal/middleware.RealIP, which only honors XFF when the
immediate TCP peer is in a configured trusted-proxy CIDR set. Empty
config = no-op (r.RemoteAddr keeps the real peer address), the safe
default. New server.trusted_proxies config field lists the CIDRs to
trust — set it to your ingress / LB range when running behind one.

Indexer's HTTP server doesn't need client-IP resolution (it's only
reachable internally from the API server and Prometheus), so the
deprecated line is removed there rather than rewired.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
@aanogueira
chore(lint): swap deprecated gomodguard for gomodguard_v2
eb062f6 
golangci-lint v2.12.0 deprecated gomodguard in favor of gomodguard_v2.
Explicit enable + disable for the old name keeps the same module-guard
behavior without the deprecation warning.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
@aanogueira aanogueira merged commit ed2158e into main May 26, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aanogueira