HTTP API GW -> (WAF) -> ALB, cannot pick up source IP

I have an HTTP API GW that connects to a private ALB via VPC Link.

But i cannot make WAF understand the forwarded HTTP header that APIGW sets

forwarded: for=someip;host=somehost;proto=https

From what i understand WAF wants a CSV type of input in the header it reads for IP and uses the first one and the documentation states that it's usually X-Forwarded-For

Is there any way of making WAF understand the format that HTTP API GW is sending to ALB?

주제

보안, 신원 및 규정 준수 서버리스 프론트엔드 웹 및 모바일 네트워킹 및 콘텐츠 전송

태그

AWS WAF 아마존 API 게이트웨이 탄력적 로드 밸런싱

언어

English

Alexander

질문됨 일 년 전384회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

The WAF attached to the ALB which is behind API Gateway does not recognize the source IP of the client. One approach would be to front CloudFront before API Gateway and have AWS WAF on CloudFront Alternatively you could use HTTP API GW -> WAF -> NLB -> ALB. Or Switching to port base routing as opposed to path based routing and changing from ALB to NLB.

전문가

PiyushMattoo

답변함 일 년 전

alexander
일 년 전
I tried placing a CF in front of the GW (which is the cleaner solution i agree), but for the life of me I could not make it work

Followed several guides but i only ended up with "< x-cache: Error from cloudfront"

Route53 -> CF -> custom domain in my HTTP API GW

Anyone had similar issues?

HTTP API GW -> (WAF) -> ALB, cannot pick up source IP

관련 콘텐츠