stackoom
  简体   繁体   中英

Symfony2 uses wrong “x-forwarded-for” on AWS Load Balancer / 2 Ip addresses

 原文  2017-01-16 02:10:00       php/ symfony/ amazon-web-services/ amazon-elb/ x-forwarded-for

Question

simple / small question.

My Amazon AWS ELB sends me the following headers. 

x-forwarded-for     84.134.167.231, 172.31.17.157
x-forwarded-host    app.example.org
x-forwarded-port    443
x-forwarded-proto   https
x-forwarded-server  ip-172-31-11-2.eu-central-1.compute.internal

But the request uses the second one, the local machine ip address. - 172.31.17.157

Do anyone know how to fix this problem? Is it possible to overwrite the Get IP functions of Symfony?

Thanks in Advance!

//edit 1 - HTTPs Configuration 

    files:
      /etc/httpd/conf.d/ssl.conf:
        mode: "000644"
        owner: root
        group: root
        content: |
          LoadModule ssl_module modules/mod_ssl.so
          Listen 443
          <VirtualHost *:443>
            <Proxy *>
              Order deny,allow
              Allow from all
            </Proxy>

            SSLEngine             on
            SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
            SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
            SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
            SSLProtocol           All -SSLv2 -SSLv3
            SSLHonorCipherOrder   On
            SSLSessionTickets     Off

            Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
            Header always set X-Frame-Options DENY
            Header always set X-Content-Type-Options nosniff

            ProxyPass / http://localhost:80/ retry=0
            ProxyPassReverse / http://localhost:80/
            ProxyPreserveHost on
            RequestHeader set X-Forwarded-Proto "https" early

          </VirtualHost>

1 answers

solution1
 0  2019-01-15 01:18:09

Yes, you will need to overwrite getIP function (or anything equivalent) to get it work for ELB. Note, only for ELB.

The underlying issue is that there is no universal agreed on standard for X-Forwarded-For .

Most proxy tools, such as Nginx, will set X-Forwarded-For: client, proxy1, proxy2 . However, ELB will set X-Forwarded-For: proxy1, proxy2, client .

Therefore, most web frameworks will have IP spoofing issue while using ELB.

The fix is simple, just need to pick the last part of X-Forwarded-For . But as you can imagine, if a request is routed through multiple proxies that uses different standards, then there is no easy way to find the real IP address in the end.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Getting Client IP Using PHP with Load Balancer (X-Forwarded-For Header) How to set X-Forwarded-For in PHP to sent client IP with simplexml_load_file X-Forwarded-For causing Undefined index in PHP Using x-forwarded-for to fetch google search x-forwarded-for in https headers on IIS Use X-Forwarded-For headers on Magento What's the relation between load balancer and HTTP_X_FORWARDED_FOR? Allow access in htaccess based on the HTTP:X-FORWARDED-FOR Nginx replace REMOTE_ADDR with X-Forwarded-For Nginx Location Block Access List and 'X-Forwarded-For'
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM