simple / small question.
My Amazon AWS ELB sends me the following headers.
x-forwarded-for 84.134.167.231, 172.31.17.157
x-forwarded-host app.example.org
x-forwarded-port 443
x-forwarded-proto https
x-forwarded-server ip-172-31-11-2.eu-central-1.compute.internal
But the request uses the second one, the local machine ip address. - 172.31.17.157
Do anyone know how to fix this problem? Is it possible to overwrite the Get IP functions of Symfony?
Thanks in Advance!
//edit 1 - HTTPs Configuration
files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
</VirtualHost>
Yes, you will need to overwrite getIP function (or anything equivalent) to get it work for ELB. Note, only for ELB.
The underlying issue is that there is no universal agreed on standard for X-Forwarded-For
.
Most proxy tools, such as Nginx, will set X-Forwarded-For: client, proxy1, proxy2
. However, ELB will set X-Forwarded-For: proxy1, proxy2, client
.
Therefore, most web frameworks will have IP spoofing issue while using ELB.
The fix is simple, just need to pick the last part of X-Forwarded-For
. But as you can imagine, if a request is routed through multiple proxies that uses different standards, then there is no easy way to find the real IP address in the end.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.