ssrfguard

package module
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2026 License: MIT Imports: 4 Imported by: 0

README

ssrfguard

A small Go library that provides a net.Dialer.Control callback to block connections to private and reserved IP ranges (SSRF protection).

It fires after DNS resolution but before the TCP handshake, which also prevents DNS-rebinding attacks.

Install

go get github.com/abhinavxd/ssrfguard

Usage

guard := ssrfguard.New() // no allowlist — block all reserved ranges

client := &http.Client{
    Transport: &http.Transport{
        DialContext: (&net.Dialer{
            Control: guard.Control,
        }).DialContext,
    },
}

To allow specific internal CIDRs:

guard := ssrfguard.New(
    netip.MustParsePrefix("10.0.0.0/8"),
)

License

MIT

Documentation

Overview

Package ssrfguard provides a net.Dialer.Control callback that blocks connections to private and reserved IP ranges (SSRF protection).

It fires after DNS resolution but before the TCP handshake, which also prevents DNS-rebinding attacks.

Example 
package main

import (
	"fmt"
	"net"
	"net/http"
	"time"

	"github.com/abhinavxd/ssrfguard"
)

func main() {
	guard := ssrfguard.New() // no allowlist — block all reserved ranges

	client := &http.Client{
		Timeout: 10 * time.Second,
		Transport: &http.Transport{
			DialContext: (&net.Dialer{
				Timeout:   3 * time.Second,
				KeepAlive: 30 * time.Second,
				Control:   guard.Control,
			}).DialContext,
		},
	}

	// Public addresses work fine.
	_, err := client.Get("https://example.com")
	fmt.Println("example.com:", err)

	// Requests to private/reserved IPs are blocked before any TCP connection.
	_, err = client.Get("http://127.0.0.1:8080/admin")
	fmt.Println("127.0.0.1:", err)
}

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func ReservedRanges 

func ReservedRanges() []netip.Prefix

ReservedRanges returns a copy of the built-in reserved IP ranges that the guard blocks by default. The returned slice is a copy callers may inspect it freely without affecting the guard's behaviour.

Types

type Guard 

type Guard struct {
	// contains filtered or unexported fields
}

Guard blocks connections to private/reserved IP addresses unless explicitly allowed. Use New to create one, then assign Guard.Control to a net.Dialer.

func New 

func New(allowed ...netip.Prefix) *Guard

New creates a Guard with the given allowlist prefixes. Addresses that fall within any of the allowed prefixes are permitted even if they belong to a reserved range.

func (*Guard) Control 

func (g *Guard) Control(_, address string, _ syscall.RawConn) error

Control is a net.Dialer.Control callback that blocks connections to reserved IP addresses. It fires after DNS resolution but before the TCP handshake, preventing DNS-rebinding attacks.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.