Kong trusted_ips vs AWS application load balancer [ALB]

I’ve got kong running behind an AWS ALB that handles TLS termination, and provides us with useful metrics helping us observing outages (ELB_5XX metrics, for example).

Kong is set up, via basically with something like trusted_ips = 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 where these CIDR ranges represent our internal ips of the ALB nodes.

This is working fine, up to this point:

Kong trusts X-Forwarded-Host headers from untrusted clients.

Thing is, ALBs only set X-Forwarded-[For,Proto,Port] but not X-Forwarded-Host (which it passes through if set by a client).

How can I configure kong to not extract X-Forwarded-Host from inbound requests, but still have it trust the other X-Forwarded headers? I still need to pass the correct values for all of these down to my backends. [For example, another backend proxy in the chain doesn’t support preserving host headers, so I need to transport correct X-Forwarded-* ones]

So far, I’m thinking of the following options:

  • don’t use trusted_ips but the underlying nginx set_real_ip_from instead. Afaik, this changes the behaviour of ip.is_trusted in kong, breaking handling of other headers.
  • don’t use ALB, but NLB (TLS still terminating at LB) – to kong, the connection would appear to originate from the original ip address/port. Lose HTTP related handling that the ALB normally provides.
  • somehow mangle the request and redact X-Forwarded-Host before kong starts using it [?]

any option i’m missing?


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ