HTTP API GW -> (WAF) -> ALB, cannot pick up source IP

I have an HTTP API GW that connects to a private ALB via VPC Link.

But i cannot make WAF understand the forwarded HTTP header that APIGW sets

forwarded: for=someip;host=somehost;proto=https

From what i understand WAF wants a CSV type of input in the header it reads for IP and uses the first one and the documentation states that it's usually X-Forwarded-For

Is there any way of making WAF understand the format that HTTP API GW is sending to ALB?

トピック

セキュリティ、アイデンティティ、コンプライアンスサーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信

タグ

AWS WAF Amazon API Gateway 弾力性のあるロードバランシング

言語

English

Alexander

質問済み 1年前384ビュー

1回答

新しい順
投票が多い順
コメントが多い順

これらの回答は役に立ちましたか？コミュニティがあなたの知識を活用できるように、正解に賛成票を投じてください。

The WAF attached to the ALB which is behind API Gateway does not recognize the source IP of the client. One approach would be to front CloudFront before API Gateway and have AWS WAF on CloudFront Alternatively you could use HTTP API GW -> WAF -> NLB -> ALB. Or Switching to port base routing as opposed to path based routing and changing from ALB to NLB.

エキスパート

PiyushMattoo

回答済み 1年前

alexander
1年前
I tried placing a CF in front of the GW (which is the cleaner solution i agree), but for the life of me I could not make it work

Followed several guides but i only ended up with "< x-cache: Error from cloudfront"

Route53 -> CF -> custom domain in my HTTP API GW

Anyone had similar issues?

HTTP API GW -> (WAF) -> ALB, cannot pick up source IP

関連するコンテンツ