🐛 [Bug]: Strip all TrustedProxy IPs from ProxyHeader (X-Forwarded-For)

[gueuselambix]

Bug Description

Fiber only strips of the first TrustedProxy IP from the ProxyHeader (typically X-Forwarded-For).

It should keep stripping off TrustedProxy IPs until it reaches the first non-trusted IP.

The doc now says:

Behavior note: X-Forwarded-For often contains a comma-separated chain of IP addresses. With the default EnableIPValidation = false, c.IP() will return the raw header value (the whole chain) rather than a single parsed client IP. With EnableIPValidation = true, c.IP() parses the header and returns the first syntactically valid IP address it finds; it does not walk the chain to find the first non-proxy hop. For a reliable client IP, configure your reverse proxy to overwrite or sanitize this header and/or to provide a single-IP header such as "X-Real-IP" or a provider-specific header like "CF-Connecting-IP".

Why does the code not walk the chain to find the first non-proxy hop?

How to Reproduce

Steps to reproduce the behavior:

1. Configure Fiber with TrustedProxy subnets: "2001:db8::/32", "192.168.0.0/24".
2. Send a X-Forwarded-For request header with 1.2.3.4, 2001:db8::10, 192.168.0.10
3. c.IP() now returns 1.2.3.4, 2001:db8::10

Expected Behavior

As mentioned in https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Forwarded-For
The header can contain N-proxies:

X-Forwarded-For: <client>, <proxy>
X-Forwarded-For: <client>, <proxy>, …, <proxyN>

The server should strip all trusted proxy addresses from the list.

Fiber Version

v2.52.13

Code Snippet (optional)

Checklist:

• I agree to follow Fiber's Code of Conduct.
• I have checked for existing issues that describe my problem prior to opening this one.
• I understand that improperly formatted bug reports may be closed without explanation.

[harsha-cpp]

happy to take this one. quick approach check before i open a PR, since this touches c.IP() default behavior.

in v3, c.IP() doesn't walk the chain at all right now. with EnableIPValidation on it returns the leftmost syntactically valid IP; with validation off (the default) it returns the raw X-Forwarded-For value. so there's no per-hop trusted-proxy stripping to extend — adding it is a behavior change, not a one-line fix.

what i'd propose: when a proxy is trusted, walk X-Forwarded-For from the right, skip every hop that matches TrustProxy (loopback/private/link-local/explicit IPs/CIDRs), and return the first untrusted address as the client IP. fall back to RemoteIP() if every hop is trusted or the header is empty.

two questions before i build it:

1. should this be the default for c.IP(), or gated behind a config flag to avoid changing existing resolution?
2. should it respect EnableIPValidation for the per-hop parse, or validate unconditionally while walking?

i've already mapped the relevant code in req.go and can have it done with tests + a benchmark for the hot path once you confirm the shape.

[gaby]

@harsha-cpp Someone already took it.