AWS ELB sets the real IP address at the end of ctx.request.ips
See original GitHub issueWe were relying on ctx.request.ip
to get the real IP which is really just the IP returned in the X-Forwarded-For
header. Noticed that if we spoofed the header, AWS’s ELB would forward it along with the real IP. Multiple spoofed headers were ignored. The most recent spoofed IP and the real IP was always the last IP in an array with 2 values.
$ curl -H 'X-Forwarded-For: 1.1.1.1' -H 'X-Forwarded-For: 2.2.2.2' elburl
X-Forwarded-For: 1.1.1.1,68.32.48.12
To correct this behavior we now use the last value in ctx.request.ips
if it exists, if not, it will use ctx.request.ip
. This seems to have prevented spoofing IPs with curl.
Reference: Elastic Load Balancer X-FORWARDED-FOR
Issue Analytics
- State:
- Created 6 years ago
- Comments:5
Top Results From Across the Web
Capture client IP addresses in the web server logs behind an ...
I'm using Elastic Load Balancing (ELB) for my web server, and I can see my load balancer's IP address in the web server...
Read more >Find the IP address used by a load balancer to forward traffic ...
Find private IP addresses associated with load balancer elastic network interfaces using the AWS Management Console · 1. Open the Amazon Elastic ...
Read more >I need a static IP address for my Application Load Balancer ...
1. Open the Amazon EC2 console. · 2. In the navigation pane, expand Load Balancing, and then choose Target Groups. · 3. Choose...
Read more >IP address types for your Application Load Balancer
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . · On the navigation pane, under LOAD BALANCING, choose Load Balancers. · Select the load...
Read more >Application Load Balancers - AWS Documentation
Your load balancer uses these IP addresses to establish connections with the targets. ... It is set to false for internet-facing load balancers...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Well this is interesting. First of all
[0]
was done intentionally as per the source code comments: https://github.com/koajs/koa/blob/c699c75c52bc96ba6c3dfc0202a55b76832d7192/lib/request.js#L313-L323The problem is that there is no established standard for
X-Forwarded-For
header.X-Forwarded-For: <client>, <proxy1>, <proxy2>
which corresponds tokoa
implementationnginx
also appends IP addresses to the end leaving client IP as first element in the list (can be checked here).squid
where XFF was introduced does the sameForwarded
header as XFF replacement and it also presumes appending to the end of the listThus ELB is a red herring here, as per the doc it indeed adds client IP address to the end of the list in XFF:
X-Forwarded-For: ip-address-1, ip-address-2, client-ip-address
.It looks like a conflict of de-facto XFF standard vs. ELB particular implementation. It would also be hard to find the right place for this in
koa
docs. It seems to be a little bit off-topic IMO, all that XFF related stuff. Especially without XFF being recognized as actual standard and its vulnerability to spoofing.@garcia556 that is informative! Thank you so much for that.
Since the ELB is indeed a red herring, other than submitting an issue with them or creating a npm module for every load balancer’s XFF implementation, it might be safer to just document the code we use now to get the real IP knowing that we use ELB:
I’m now curious how other competitor load balancers like Azure have implemented this.