You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a Play service that we have hosted on ECS in a VPC behind an ALB and want to log client IPs.
We can't establish the load balancers IP range to configure trustedProxies so have to set it to all IPs as per the docs suggest for cloud environments (https://www.playframework.com/documentation/3.0.x/HTTPServer#Trusting-all-proxies). However this leaves it open to spoofing as ALB doesn't have the capability to remove incoming X-Forwarded-For headers.
Currently I am able to get the correct remote address by manually extracting the rightmost entry in the X-Forwarded-For list, which we can always trust as the service is only accessible via the ALB.
Given this feels like quite a common scenario, I was wondering if it would make sense to have this functionality inbuilt into Play somehow.
For example, a config like play.http.forwarded.trustedLayerCount=1 which would allow us to set a number of trusted hops for the architecture where this is known and static but the actual IPs are not.
I'm happy to take a look at the implementation of this if it seems sensible.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Play Framework
-
I have a Play service that we have hosted on ECS in a VPC behind an ALB and want to log client IPs.
We can't establish the load balancers IP range to configure
trustedProxiesso have to set it to all IPs as per the docs suggest for cloud environments (https://www.playframework.com/documentation/3.0.x/HTTPServer#Trusting-all-proxies). However this leaves it open to spoofing as ALB doesn't have the capability to remove incoming X-Forwarded-For headers.Currently I am able to get the correct remote address by manually extracting the rightmost entry in the X-Forwarded-For list, which we can always trust as the service is only accessible via the ALB.
Given this feels like quite a common scenario, I was wondering if it would make sense to have this functionality inbuilt into Play somehow.
For example, a config like
play.http.forwarded.trustedLayerCount=1which would allow us to set a number of trusted hops for the architecture where this is known and static but the actual IPs are not.I'm happy to take a look at the implementation of this if it seems sensible.
Beta Was this translation helpful? Give feedback.
All reactions