feat(axum): optional extraction of client.address (former client_ip) from http headers or socket's info

davidB · davidB · commit d72d8120f101 · 2025-08-25T18:07:03.000+02:00
FIX #68 #258
diff --git a/axum-tracing-opentelemetry/Cargo.toml b/axum-tracing-opentelemetry/Cargo.toml
@@ -17,7 +17,7 @@ repository.workspace = true
 license.workspace = true
 
 [dependencies]
-axum = { workspace = true, features = ["matched-path"] }
+axum = { workspace = true, features = ["matched-path", "tokio"] }
 futures-core = "0.3"
 futures-util = { version = "0.3", default-features = false, features = [] }
 http = { workspace = true }
diff --git a/axum-tracing-opentelemetry/src/middleware/trace_extractor.rs b/axum-tracing-opentelemetry/src/middleware/trace_extractor.rs
@@ -32,18 +32,21 @@
 //! ```
 //!
 
-use axum::extract::MatchedPath;
+use axum::extract::{ConnectInfo, MatchedPath};
 use http::{Request, Response};
 use pin_project_lite::pin_project;
 use std::{
     error::Error,
     future::Future,
+    net::SocketAddr,
     pin::Pin,
     task::{Context, Poll},
 };
 use tower::{Layer, Service};
 use tracing::Span;
-use tracing_opentelemetry_instrumentation_sdk::http as otel_http;
+use tracing_opentelemetry_instrumentation_sdk::http::{
+    self as otel_http, extract_client_ip_from_headers,
+};
 
 #[deprecated(
     since = "0.12.0",
@@ -65,15 +68,35 @@ pub type Filter = fn(&str) -> bool;
 #[derive(Default, Debug, Clone)]
 pub struct OtelAxumLayer {
     filter: Option<Filter>,
+    try_extract_client_ip: bool,
 }
 
 // add a builder like api
 impl OtelAxumLayer {
     #[must_use]
     pub fn filter(self, filter: Filter) -> Self {
-        OtelAxumLayer {
-            filter: Some(filter),
-        }
+        let mut me = self;
+        me.filter = Some(filter);
+        me
+    }
+
+    /// Enable or disable (default) the extraction of client's ip.
+    /// Extraction from (in order):
+    ///
+    /// 1. http header 'Forwarded'
+    /// 2. http header `X-Forwarded-For`
+    /// 3. socket connection ip, use the `axum::extract::ConnectionInfo` (see [`Router::into_make_service_with_connect_info`] for more details)
+    /// 4. empty (failed to extract the information)
+    ///
+    /// The extracted value could an ip v4, ip v6, a string (as `Forwarded` can use label or hide the client).
+    /// The extracted value is stored it as `client.address` in the span/trace
+    ///
+    /// [`Router::into_make_service_with_connect_info`]: axum::routing::Router::into_make_service_with_connect_info
+    #[must_use]
+    pub fn try_extract_client_ip(self, enable: bool) -> Self {
+        let mut me = self;
+        me.try_extract_client_ip = enable;
+        me
     }
 }
 
@@ -84,6 +107,7 @@ impl<S> Layer<S> for OtelAxumLayer {
         OtelAxumService {
             inner,
             filter: self.filter,
+            try_extract_client_ip: self.try_extract_client_ip,
         }
     }
 }
@@ -92,6 +116,7 @@ impl<S> Layer<S> for OtelAxumLayer {
 pub struct OtelAxumService<S> {
     inner: S,
     filter: Option<Filter>,
+    try_extract_client_ip: bool,
 }
 
 impl<S, B, B2> Service<Request<B>> for OtelAxumService<S>
@@ -115,20 +140,26 @@ where
         use tracing_opentelemetry::OpenTelemetrySpanExt;
         let req = req;
         let span = if self.filter.map_or(true, |f| f(req.uri().path())) {
-            let span = otel_http::http_server::make_span_from_request(&req);
             let route = http_route(&req);
             let method = otel_http::http_method(req.method());
-            // let client_ip = parse_x_forwarded_for(req.headers())
-            //     .or_else(|| {
-            //         req.extensions()
-            //             .get::<ConnectInfo<SocketAddr>>()
-            //             .map(|ConnectInfo(client_ip)| Cow::from(client_ip.to_string()))
-            //     })
-            //     .unwrap_or_default();
+            let client_ip = if self.try_extract_client_ip {
+                extract_client_ip_from_headers(req.headers())
+                    .map(ToString::to_string)
+                    .or_else(|| {
+                        req.extensions()
+                            .get::<ConnectInfo<SocketAddr>>()
+                            .map(|ConnectInfo(client_ip)| client_ip.to_string())
+                    })
+            } else {
+                None
+            };
+
+            let span = otel_http::http_server::make_span_from_request(&req);
             span.record("http.route", route);
             span.record("otel.name", format!("{method} {route}").trim());
-            // span.record("trace_id", find_trace_id_from_tracing(&span));
-            // span.record("client.address", client_ip);
+            if let Some(client_ip) = client_ip {
+                span.record("client.address", client_ip);
+            }
             span.set_parent(otel_http::extract_context(req.headers()));
             span
         } else {
diff --git a/tracing-opentelemetry-instrumentation-sdk/src/http/tools.rs b/tracing-opentelemetry-instrumentation-sdk/src/http/tools.rs
@@ -27,22 +27,49 @@ pub fn extract_service_method(uri: &Uri) -> (&str, &str) {
     (service, method)
 }
 
-fn parse_x_forwarded_for(headers: &HeaderMap) -> Option<&str> {
+#[must_use]
+// From [X-Forwarded-For - HTTP | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
+// > If a request goes through multiple proxies, the IP addresses of each successive proxy is listed.
+// > This means that, given well-behaved client and proxies,
+// > the rightmost IP address is the IP address of the most recent proxy and
+// > the leftmost IP address is the IP address of the originating client.
+pub fn extract_client_ip_from_headers(headers: &HeaderMap) -> Option<&str> {
+    extract_client_ip_from_forwarded(headers)
+        .or_else(|| extract_client_ip_from_x_forwarded_for(headers))
+}
+
+#[must_use]
+// From [X-Forwarded-For - HTTP | MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)
+// > If a request goes through multiple proxies, the IP addresses of each successive proxy is listed.
+// > This means that, given well-behaved client and proxies,
+// > the rightmost IP address is the IP address of the most recent proxy and
+// > the leftmost IP address is the IP address of the originating client.
+fn extract_client_ip_from_x_forwarded_for(headers: &HeaderMap) -> Option<&str> {
     let value = headers.get("x-forwarded-for")?;
     let value = value.to_str().ok()?;
     let mut ips = value.split(',');
     Some(ips.next()?.trim())
 }
 
-#[inline]
-pub fn client_ip<B>(req: &http::Request<B>) -> &str {
-    parse_x_forwarded_for(req.headers())
-        // .or_else(|| {
-        //     req.extensions()
-        //         .get::<ConnectInfo<SocketAddr>>()
-        //         .map(|ConnectInfo(client_ip)| Cow::from(client_ip.to_string()))
-        // })
-        .unwrap_or_default()
+#[must_use]
+// see [Forwarded header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Forwarded)
+fn extract_client_ip_from_forwarded(headers: &HeaderMap) -> Option<&str> {
+    let value = headers.get("forwarded")?;
+    let value = value.to_str().ok()?;
+    value
+        .split(';')
+        .flat_map(|directive| directive.split(','))
+        // select the left/first "for" key
+        .find_map(|directive| directive.trim().strip_prefix("for="))
+        // ipv6 are enclosed into `["..."]`
+        // string are enclosed into `"..."`
+        .map(|directive| {
+            directive
+                .trim_start_matches('[')
+                .trim_end_matches(']')
+                .trim_matches('"')
+                .trim()
+        })
 }
 
 #[inline]
@@ -128,4 +155,57 @@ mod tests {
         let uri: Uri = input.parse().unwrap();
         assert!(url_scheme(&uri) == expected);
     }
+
+    #[rstest]
+    #[case("", "")]
+    #[case(
+        "2001:db8:85a3:8d3:1319:8a2e:370:7348",
+        "2001:db8:85a3:8d3:1319:8a2e:370:7348"
+    )]
+    #[case("203.0.113.195", "203.0.113.195")]
+    #[case("203.0.113.195,10.10.10.10", "203.0.113.195")]
+    #[case("203.0.113.195, 2001:db8:85a3:8d3:1319:8a2e:370:7348", "203.0.113.195")]
+    fn test_extract_client_ip_from_x_forwarded_for(#[case] input: &str, #[case] expected: &str) {
+        let mut headers = HeaderMap::new();
+        if !input.is_empty() {
+            headers.insert("X-Forwarded-For", input.parse().unwrap());
+        }
+
+        let expected = if expected.is_empty() {
+            None
+        } else {
+            Some(expected)
+        };
+        assert!(extract_client_ip_from_x_forwarded_for(&headers) == expected);
+    }
+
+    #[rstest]
+    #[case("", "")]
+    #[case(
+        "for=[\"2001:db8:85a3:8d3:1319:8a2e:370:7348\"]",
+        "2001:db8:85a3:8d3:1319:8a2e:370:7348"
+    )]
+    #[case("for=203.0.113.195", "203.0.113.195")]
+    #[case("for=203.0.113.195, for=10.10.10.10", "203.0.113.195")]
+    #[case(
+        "for=203.0.113.195, for=[\"2001:db8:85a3:8d3:1319:8a2e:370:7348\"]",
+        "203.0.113.195"
+    )]
+    #[case("for=\"_mdn\"", "_mdn")]
+    #[case("for=\"secret\"", "secret")]
+    #[case("for=203.0.113.195;proto=http;by=203.0.113.43", "203.0.113.195")]
+    #[case("proto=http;by=203.0.113.43", "")]
+    fn test_extract_client_ip_from_forwarded(#[case] input: &str, #[case] expected: &str) {
+        let mut headers = HeaderMap::new();
+        if !input.is_empty() {
+            headers.insert("Forwarded", input.parse().unwrap());
+        }
+
+        let expected = if expected.is_empty() {
+            None
+        } else {
+            Some(expected)
+        };
+        assert!(extract_client_ip_from_forwarded(&headers) == expected);
+    }
 }
