AWS ELB sets the real IP address at the end of ctx.request.ips

Well this is interesting. First of all [0] was done intentionally as per the source code comments: https://github.com/koajs/koa/blob/c699c75c52bc96ba6c3dfc0202a55b76832d7192/lib/request.js#L313-L323

The problem is that there is no established standard for X-Forwarded-For header.

• Mozilla doc describes list as X-Forwarded-For: <client>, <proxy1>, <proxy2> which corresponds to koa implementation
• nginx also appends IP addresses to the end leaving client IP as first element in the list (can be checked here).
• squid where XFF was introduced does the same
• there is a proposed RFC for Forwarded header as XFF replacement and it also presumes appending to the end of the list
• another RFC regarding proxies also says the value should be appended

Thus ELB is a red herring here, as per the doc it indeed adds client IP address to the end of the list in XFF: X-Forwarded-For: ip-address-1, ip-address-2, client-ip-address.

It looks like a conflict of de-facto XFF standard vs. ELB particular implementation. It would also be hard to find the right place for this in koa docs. It seems to be a little bit off-topic IMO, all that XFF related stuff. Especially without XFF being recognized as actual standard and its vulnerability to spoofing.

@garcia556 that is informative! Thank you so much for that.

Since the ELB is indeed a red herring, other than submitting an issue with them or creating a npm module for every load balancer’s XFF implementation, it might be safer to just document the code we use now to get the real IP knowing that we use ELB:

  // To avoid X-Forwarded-For spoofing
  // https://forums.aws.amazon.com/message.jspa?messageID=160282
  // If available this retrieves the last item in the array of IPs, if not, it returns the normal koa ip
  ctx.state.ipaddr = ctx.request.ips.slice(-1)[0] || ctx.request.ip;

I’m now curious how other competitor load balancers like Azure have implemented this.