-
-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS ELB sets the real IP address at the end of ctx.request.ips #1094
Comments
According to the docs Line 174 in 53a4446
I think the docs should be updated to reflect how the code works. Thoughts? |
Taking into account overall laconic style of koa documentation
As for the terminology upstream/downstream actually might be confusing, here's perfect explanation. In short when you are looking at koa request upstream is where the data comes from thus actual client. That might contradict with |
Thanks for the comment @garcia556 . Our code has If the docs are updated to show that the client's IP is the last IP in the array and / or The docs can also be updated to include your helpful link on upstream vs downstream depending on context. |
Well this is interesting. First of all Lines 313 to 323 in c699c75
The problem is that there is no established standard for
Thus ELB is a red herring here, as per the doc it indeed adds client IP address to the end of the list in XFF: It looks like a conflict of de-facto XFF standard vs. ELB particular implementation. It would also be hard to find the right place for this in |
@garcia556 that is informative! Thank you so much for that. Since the ELB is indeed a red herring, other than submitting an issue with them or creating a npm module for every load balancer's XFF implementation, it might be safer to just document the code we use now to get the real IP knowing that we use ELB:
I'm now curious how other competitor load balancers like Azure have implemented this. |
We were relying on
ctx.request.ip
to get the real IP which is really just the IP returned in theX-Forwarded-For
header. Noticed that if we spoofed the header, AWS's ELB would forward it along with the real IP. Multiple spoofed headers were ignored. The most recent spoofed IP and the real IP was always the last IP in an array with 2 values.To correct this behavior we now use the last value in
ctx.request.ips
if it exists, if not, it will usectx.request.ip
. This seems to have prevented spoofing IPs with curl.Reference: Elastic Load Balancer X-FORWARDED-FOR
The text was updated successfully, but these errors were encountered: