Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Options for X-Forwarded-For header with Cloudfront->ELB->Haproxy flow

0

A customer is implementing Cloudfront with ELB and HAProxy on EC2. They are also evaluating AWS WAF for protecting App Traffic but because of application requirements they may not be able to move to ALB and hence cant work with WAF for this workload.

They are looking at implementing Access Control at HAProxy layer. But have expressed concerns around reliability of X-Forwarded-For headers as reliable source to implement it. I wanted to seek expert thoughts on better alternatives to help them implement this.

Temas
Redes y entrega de contenido
Etiquetas
Balanceo de carga elásticaAmazon CloudFront
Idioma
English
AWS
raj_b
preguntada hace 4 años3593 visualizaciones
1 Respuesta
0
Respuesta aceptada

Yes. X-Forwarded-For Header can be manipulate.
So, You can use Lambda@Edge for origin request phase to overwrite X-Forwarded-For header or create other header like True-Client-IP.

Simple example is below.

'use strict';

exports.handler = function(event, context, callback) {  
  var request = event.Records[0].cf.request;  
  request.headers["true-client-ip"] = [{"key":"True-Client-IP","value":request.clientIp}]   
  request.headers["x-forwarded-for"] = [{"key":"X-Forwarded-For","value":request.clientIp}]  

  callback(null, request);  
};

please check other L@E samples below. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

AWS
Yoshihisa_N
respondido hace 4 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante