Menu
I'm analyzing a stack of a public route that rests on an Elastic Load Balancer which opens a port exposed by PM2 that starts a node app using the koa module. At the moment, the IP is logged and that depends solely on the X-Forwarded-For header. If this header is manually created using curl, then the application will write that as the IP address.
Is there an easy way to prevent spoofing of this header or to setup AWS's ELB so it ignores manually inserted headers or is there a better way than the spoofable header to get the real IP address of the visitor?
872
The network LB will not support X-Forwarded-For headers like the Application LB does. Application LB: Layer-7 Load Balancing You can load balance HTTP/HTTPS applications and use layer 7-specific features, such as X-Forwarded-For headers.
Append. By default, the Application Load Balancer stores the IP address of the client in the X-Forwarded-For request header and passes the header to your server. If the X-Forwarded-For request header is not included in the original request, the load balancer creates one with the client IP address as the request value.
If an application trusts an HTTP request header like X-Forwarded-For to accurately specify the remote IP address of the connecting client, then malicious clients can spoof their IP address.
The X-Forwarded-For request header is automatically added and helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer.
According to the doc :
If a request from a client already contains an X-Forwarded-For header, Elastic Load Balancing appends the IP address of the client at the end of the header value. In this case, the last IP address in the list is the IP address of the client.
So the last IP is always the real IP.
193
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
