Mailing List Archive: X-Forwarded-For in amazon loadbalancer

X-Forwarded-For in amazon loadbalancer

Feb 1, 2012, 4:11 AM

Post #1 of 4 (1271 views)

I'm using Cherokee in amazon loadbalancer serving to 3 cherokee instances
for now, but there's a problem with ip origin check.
Amazon documentation says that you can't use loadbalancer ip cause it can
change over time, while cherokee "Don't check origin" warns about not using
a list of ip addresses to limit the possible security hole.

I can't use loadbalancer ip, but i can't leave x-Forwarded-For without any
content, is there a huge security issue or i'm being paranoic?

Re: X-Forwarded-For in amazon loadbalancer [ In reply to ]

alvaro at alobbs

Feb 1, 2012, 4:31 AM

Post #2 of 4 (1222 views)

Permalink

On 02/01/2012 01:11 PM, jlan wrote:
>
> I can't use loadbalancer ip, but i can't leave x-Forwarded-For without
> any content, is there a huge security issue or i'm being paranoic?

Do not enable X-Forwarded-For without checking the origin. That'd allow
anyone to send requests to your server faking his IP. The integrity of
your log files would be jeopardized.
_______________________________________________
Cherokee mailing list
Cherokee@lists.octality.com
http://lists.octality.com/listinfo/cherokee

Re: X-Forwarded-For in amazon loadbalancer [ In reply to ]

lists at dan

Feb 1, 2012, 10:09 PM

Post #3 of 4 (1216 views)

Permalink

On Wed, Feb 1, 2012 at 11:31 PM, Alvaro Lopez Ortega <alvaro@alobbs.com>wrote:

> On 02/01/2012 01:11 PM, jlan wrote:
>
>>
>> I can't use loadbalancer ip, but i can't leave x-Forwarded-For without
>> any content, is there a huge security issue or i'm being paranoic?
>>
>
> Do not enable X-Forwarded-For without checking the origin. That'd allow
> anyone to send requests to your server faking his IP. The integrity of your
> log files would be jeopardized.
>
> I think it'd be acceptable if all requests are going via the load
balancer. In this case, the last value in X-Forwarded-For will *always *be
from the load balancer, so you could trust it.

Re: X-Forwarded-For in amazon loadbalancer [ In reply to ]

joseluisalcazar at gmail

Feb 2, 2012, 2:12 AM

Post #4 of 4 (1212 views)

Permalink

You are right, it's more a dns thing.
In this configuratión the A and CNAME registers are fixed in the balancer,
not the cherokee web servers (3 computers at this momment)
So it's ok.

Thanks for all.

On Thu, Feb 2, 2012 at 07:09, Daniel Lo Nigro <lists@dan.cx> wrote:

>
> On Wed, Feb 1, 2012 at 11:31 PM, Alvaro Lopez Ortega <alvaro@alobbs.com>wrote:
>
>> On 02/01/2012 01:11 PM, jlan wrote:
>>
>>>
>>> I can't use loadbalancer ip, but i can't leave x-Forwarded-For without
>>> any content, is there a huge security issue or i'm being paranoic?
>>>
>>
>> Do not enable X-Forwarded-For without checking the origin. That'd allow
>> anyone to send requests to your server faking his IP. The integrity of your
>> log files would be jeopardized.
>>
>> I think it'd be acceptable if all requests are going via the load
> balancer. In this case, the last value in X-Forwarded-For will *always *be
> from the load balancer, so you could trust it.
>
> _______________________________________________
> Cherokee mailing list
> Cherokee@lists.octality.com
> http://lists.octality.com/listinfo/cherokee
>
>