Hi Justin, You cannot rely on the first IP in XFF (I guess you're doing that at the moment), but you can rely on the next-to-last. The last one is added to XFF by Varnish before entering 'vcl_recv', and the next-to-last is added by the ALB. That's the client IP as seen by the ALB and cannot be forged by clients.
Best, -- Carlos Abalde > On 19 Aug 2021, at 22:11, Justin Lloyd <[email protected]> wrote: > > Hi all, > > Is anyone else running Varnish behind AWS ALBs? I just encountered an issue > today with how I have been using X-Forwarded-For to check against a Varnish > ACL in that is more restrictive than the ALB’s security group, but I realized > the hard way that since X-Forwarded-For can be arbitrarily set, a malicious > actor can set it to an address that is permitted by the Varnish ACL, whether > through guessing or other knowledge. Since Varnish gets XFF from the ALB, > which in turn trusts existing XFF headers, you can’t then really trust > client.ip since it’s just taken from XFF. Unless I’m missing something... > > I’ve opened a support case with AWS to see if there’s a way to configure an > ALB to not trust XFF and use the IP from the original TCP connection, but I’m > not hopeful. I’ll likely have to go back to using two ALBs rather than one > relatively open one and one with a Varnish ACL for tigher controls to a > certain subset of the web sites behind the single ALB. > > Justin > > _______________________________________________ > varnish-misc mailing list > [email protected] <mailto:[email protected]> > https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc > <https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc>
_______________________________________________ varnish-misc mailing list [email protected] https://www.varnish-cache.org/lists/mailman/listinfo/varnish-misc
