I’ve got kong running behind an AWS ALB that handles TLS termination, and provides us with useful metrics helping us observing outages (ELB_5XX metrics, for example).
Kong is set up, via basically with something like
trusted_ips = 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 where these CIDR ranges represent our internal ips of the ALB nodes.
This is working fine, up to this point:
X-Forwarded-Host headers from untrusted clients.
Thing is, ALBs only set
X-Forwarded-[For,Proto,Port] but not
X-Forwarded-Host (which it passes through if set by a client).
How can I configure kong to not extract
X-Forwarded-Host from inbound requests, but still have it trust the other X-Forwarded headers? I still need to pass the correct values for all of these down to my backends. [For example, another backend proxy in the chain doesn’t support preserving host headers, so I need to transport correct X-Forwarded-* ones]
So far, I’m thinking of the following options:
- don’t use
trusted_ipsbut the underlying nginx
set_real_ip_frominstead. Afaik, this changes the behaviour of
ip.is_trustedin kong, breaking handling of other headers.
- don’t use ALB, but NLB (TLS still terminating at LB) – to kong, the connection would appear to originate from the original ip address/port. Lose HTTP related handling that the ALB normally provides.
- somehow mangle the request and redact X-Forwarded-Host before kong starts using it [?]
any option i’m missing?