Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Options for X-Forwarded-For header with Cloudfront->ELB->Haproxy flow

0

A customer is implementing Cloudfront with ELB and HAProxy on EC2. They are also evaluating AWS WAF for protecting App Traffic but because of application requirements they may not be able to move to ALB and hence cant work with WAF for this workload.

They are looking at implementing Access Control at HAProxy layer. But have expressed concerns around reliability of X-Forwarded-For headers as reliable source to implement it. I wanted to seek expert thoughts on better alternatives to help them implement this.

Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Elastic Load BalancingAmazon CloudFront
Sprache
English
AWS
raj_b
gefragt vor 4 Jahren3592 Aufrufe
1 Antwort
0
Akzeptierte Antwort

Yes. X-Forwarded-For Header can be manipulate.
So, You can use Lambda@Edge for origin request phase to overwrite X-Forwarded-For header or create other header like True-Client-IP.

Simple example is below.

'use strict';

exports.handler = function(event, context, callback) {  
  var request = event.Records[0].cf.request;  
  request.headers["true-client-ip"] = [{"key":"True-Client-IP","value":request.clientIp}]   
  request.headers["x-forwarded-for"] = [{"key":"X-Forwarded-For","value":request.clientIp}]  

  callback(null, request);  
};

please check other L@E samples below. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

AWS
Yoshihisa_N
beantwortet vor 4 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt