security.vcl icon indicating copy to clipboard operation
security.vcl copied to clipboard

Published 20 hours ago verified publisher icon comotion

Need to modify for AWS ELB so it will use x-forwarded-for instead of client.ip

Open clevy opened this issue 11 years ago • 11 comments

Any tips on modification so that the x-forwaded-for IP or list of IPs are used instead of the client.ip? I am trying to implement behind a load balancer so the client.ip will look the same for every client.

clevy avatar May 22 '13 18:05 clevy

Have you found how to patch it? I am not sure but I am about to try changing the occurrences of "client.ip" by "req.http.x-forwarded-for" in these 3 files:

2vcl.pl main.vcl robots.vcl

hernangarcia avatar Aug 28 '13 00:08 hernangarcia

When looking at X-Forwarded-For, keep in mind that it may consist of more than one IP if there are upstream proxies: https://forums.aws.amazon.com/message.jspa?messageID=160282, and that only the most recent value is considered trustworthy.

jhmartin avatar Aug 28 '13 02:08 jhmartin

Thanks a lot @jhmartin for pointing that out,

since I am behind an AWS ELB, the most recent value will be the ELB IP. I guess that using the address added before than that will be the right choice.

hernangarcia avatar Aug 28 '13 03:08 hernangarcia

The ELB won't add itself to the list (as the ELB address is the client.ip) , and the list is 'append-only' so you'll want to use the rightmost value as the client ip.

jhmartin avatar Aug 28 '13 03:08 jhmartin

Maybe I'm not getting this straight, look at these I tried. You can see that the last value is the ELB IP address, the one before is mine. So the ELB adds itself to the list. Right?

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test1 1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:40:27 +0000] "GET /test1 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test2 1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:40:35 +0000] "GET /test2 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test3 1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:41:00 +0000] "GET /test3 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

hernangarcia avatar Aug 28 '13 04:08 hernangarcia

Is this log from Vanish itself or Apache behind it? If it is Apache then it makes sense -- Varnish sees the ELB as the client and appends the ELB ip to the XFF header. If it is from varnishncsa then I am surprised and would have to look at why it is occurring that way.

From an apache perspective, it should see: X-Forwarded-For: $untrustabledata, $ClientIP, $ELBip

jhmartin avatar Aug 28 '13 04:08 jhmartin

Your are right, it's from Apache behind Varnish.

hernangarcia avatar Aug 28 '13 05:08 hernangarcia

security.vcl only uses the client.ip for logging purposes at the moment, so there is no problem replacing occurences of client.ip with req.http.x-forwarded-for in your use case.

comotion avatar Sep 16 '13 15:09 comotion

Hernan, were you able to successfully make the modifications? Do you have the forked code somewhere we can check out?

Dockweiler avatar Sep 16 '13 16:09 Dockweiler

Have you tried to set something like this in your sub vcl_recv ruleset:

remove req.http.X-Forwarded-For; set req.http.X-Forwarded-For = client.ip;

justnx avatar Dec 30 '13 13:12 justnx

@justnx That would make the client always appear to be the ELB itself, not the client of the ELB.

jhmartin avatar Dec 30 '13 17:12 jhmartin