I’ve got kong running behind an AWS ALB that handles TLS termination, and provides us with useful metrics helping us observing outages (ELB_5XX metrics, for example).
Kong is set up, via basically with something like trusted_ips = 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
where these CIDR ranges represent our internal ips of the ALB nodes.
This is working fine, up to this point:
Kong trusts X-Forwarded-Host
headers from untrusted clients.
Thing is, ALBs only set X-Forwarded-[For,Proto,Port]
but not X-Forwarded-Host
(which it passes through if set by a client).
How can I configure kong to not extract X-Forwarded-Host
from inbound requests, but still have it trust the other X-Forwarded headers? I still need to pass the correct values for all of these down to my backends. [For example, another backend proxy in the chain doesn’t support preserving host headers, so I need to transport correct X-Forwarded-* ones]
So far, I’m thinking of the following options:
- don’t use
trusted_ips
but the underlying nginxset_real_ip_from
instead. Afaik, this changes the behaviour ofip.is_trusted
in kong, breaking handling of other headers. - don’t use ALB, but NLB (TLS still terminating at LB) – to kong, the connection would appear to originate from the original ip address/port. Lose HTTP related handling that the ALB normally provides.
- somehow mangle the request and redact X-Forwarded-Host before kong starts using it [?]
any option i’m missing?