Prevent X-Forwarded-For spoofing using ELB and Node

Asked 2/11, 2017 at 10:33 Answered 9/11, 2023 at 6:4

Solved node.js amazon-web-services amazon-elb pm2 spoofing

I'm analyzing a stack of a public route that rests on an Elastic Load Balancer which opens a port exposed by PM2 that starts a node app using the koa module. At the moment, the IP is logged and that depends solely on the X-Forwarded-For header. If this header is manually created using curl, then the application will write that as the IP address.

Is there an easy way to prevent spoofing of this header or to setup AWS's ELB so it ignores manually inserted headers or is there a better way than the spoofable header to get the real IP address of the visitor?

Laundress answered 2/11, 2017 at 10:33 Comment(0)

From the documentation:

...the load balancer appends the client IP address to the existing header and passes the header to your server. The X-Forwarded-For request header may contain multiple IP addresses that are comma separated. The left-most address is the client IP where the request was first made. This is followed by any subsequent proxy identifiers, in a chain.

The first IP is the correct client IP.

Kiona answered 9/11, 2023 at 6:4 Comment(0)

According to the doc :

If a request from a client already contains an X-Forwarded-For header, Elastic Load Balancing appends the IP address of the client at the end of the header value. In this case, the last IP address in the list is the IP address of the client.

So the last IP is always the real IP.

Quesnay answered 2/11, 2017 at 12:25 Comment(6)

In the company's case, the last IP is the spoofed IP which is returned when calling koa's ctx.request.ip. This is filled by AWS's ELB which I think may be setting the last X-Forwarded-IP (in this case, it's spoofed) at the end of the array. – Laundress 2/11, 2017 at 12:28

Maybe koa reverse the order ? an array of these ips is returned, ordered from upstream -> downstream ref – Quesnay 2/11, 2017 at 12:35

@Laundress It is standard behavior for X-Forwarded-for to be appended-to by load balancers and proxies. The rightmost unknown (to you) address is the one you always want to trust as being the client IP, and anything to the left of that should be considered "informational" (i.e. may be valid if the immediate upstream peer is a proxy that actually provides this, but may be forged). – Demijohn 2/11, 2017 at 14:21

This is bit confusing, isn't it? If request does not contain XFF header = client's real IP is first entry (left most; there are IPs of ELB, CF, ...); If request does contain XFF header = client's real IP is last entry (right most). Is this true? – Isotope 11/3, 2018 at 19:49

There is no universal agreed standard on X-Forwarded-For, nginx is doing the opposite of ELB. Please see: github.com/koajs/koa/issues/1094#issuecomment-345861282 – Umbel 15/1, 2019 at 1:22

It appears that this text has been removed from the current version of the ELB docs. – Dripstone 6/1, 2021 at 16:10

From the documentation:

...the load balancer appends the client IP address to the existing header and passes the header to your server. The X-Forwarded-For request header may contain multiple IP addresses that are comma separated. The left-most address is the client IP where the request was first made. This is followed by any subsequent proxy identifiers, in a chain.

The first IP is the correct client IP.

Kiona answered 9/11, 2023 at 6:4 Comment(0)

Recommended topics

Hot tags