使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

HTTP API GW -> (WAF) -> ALB, cannot pick up source IP

0

I have an HTTP API GW that connects to a private ALB via VPC Link.

But i cannot make WAF understand the forwarded HTTP header that APIGW sets

forwarded: for=someip;host=somehost;proto=https

From what i understand WAF wants a CSV type of input in the header it reads for IP and uses the first one and the documentation states that it's usually X-Forwarded-For

Is there any way of making WAF understand the format that HTTP API GW is sending to ALB?

主題
安全性、身分識別與合規無伺服器前端網頁與行動裝置網路與內容交付
標籤
AWS WAFAmazon API Gateway彈性負載平衡
語言
English
Alexander
已提問 1 年前檢視次數 384 次
1 個回答
0

The WAF attached to the ALB which is behind API Gateway does not recognize the source IP of the client. One approach would be to front CloudFront before API Gateway and have AWS WAF on CloudFront Alternatively you could use HTTP API GW -> WAF -> NLB -> ALB. Or Switching to port base routing as opposed to path based routing and changing from ALB to NLB.

profile pictureAWS
專家
PiyushMattoo
已回答 1 年前
  • alexander
    1 年前

    I tried placing a CF in front of the GW (which is the cleaner solution i agree), but for the life of me I could not make it work

    Followed several guides but i only ended up with "< x-cache: Error from cloudfront"

    Route53 -> CF -> custom domain in my HTTP API GW

    Anyone had similar issues?

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容