Need to modify for AWS ELB so it will use x-forwarded-for instead of client.ip

[clevy]

Any tips on modification so that the x-forwaded-for IP or list of IPs are used instead of the client.ip? I am trying to implement behind a load balancer so the client.ip will look the same for every client.

[hernangarcia]

Have you found how to patch it? I am not sure but I am about to try changing the occurrences of "client.ip" by "req.http.x-forwarded-for" in these 3 files:

2vcl.pl
main.vcl
robots.vcl

[jhmartin]

When looking at X-Forwarded-For, keep in mind that it may consist of more than one IP if there are upstream proxies:
https://forums.aws.amazon.com/message.jspa?messageID=160282, and that only the most recent value is considered trustworthy.

[hernangarcia]

Thanks a lot @jhmartin for pointing that out,

since I am behind an AWS ELB, the most recent value will be the ELB IP. I guess that using the address added before than that will be the right choice.

[jhmartin]

The ELB won't add itself to the list (as the ELB address is the client.ip) , and the list is 'append-only' so you'll want to use the rightmost value as the client ip.

[hernangarcia]

Maybe I'm not getting this straight, look at these I tried. You can see that the last value is the ELB IP address, the one before is mine. So the ELB adds itself to the list. Right?

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test1
1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:40:27 +0000] "GET /test1 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test2
1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:40:35 +0000] "GET /test2 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

curl --header "X-Forwarded-For:1.2.3.4" http://informe21.com/test3
1.2.3.4, 190.203.172.227, 10.91.27.252 - - [28/Aug/2013:04:41:00 +0000] "GET /test3 HTTP/1.1" 404 6121 "-" "curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5"

[jhmartin]

Is this log from Vanish itself or Apache behind it? If it is Apache then it makes sense -- Varnish sees the ELB as the client and appends the ELB ip to the XFF header. If it is from varnishncsa then I am surprised and would have to look at why it is occurring that way.

From an apache perspective, it should see:
X-Forwarded-For: $untrustabledata, $ClientIP, $ELBip

[hernangarcia]

Your are right, it's from Apache behind Varnish.

[comotion]

security.vcl only uses the client.ip for logging purposes at the moment, so there is no problem replacing occurences of client.ip with req.http.x-forwarded-for in your use case.

[Dockweiler]

Hernan, were you able to successfully make the modifications? Do you have the forked code somewhere we can check out?

[justnx]

Have you tried to set something like this in your sub vcl_recv ruleset:

remove req.http.X-Forwarded-For;
set req.http.X-Forwarded-For = client.ip;

[jhmartin]

@justnx That would make the client always appear to be the ELB itself, not the client of the ELB.