I have a load balancer on top of Kong. LB is redirecting the traffic to one of the kong servers in the kong cluster. Kong forwards the request to Backend service
Client → LB (L7 - AWS ALB) → Kong → Backend application [ LB → Web server ]
At the webserver, the X-Forwarded-For header is used to identify the client’s IP to allow IP-based access.
If the client sends X-Forwarded-For field in the request, it should not be honored. I need to drop the value in X-Forwarded-For header sent by the client and add the actual client IP in X-Forwarded-For. This is required to be done because anyone knowing allowed IPs should not have access to APIs. How can we do that?
Actions taken:
-
I have tried the steps mentioned in the post - How to Forward Client's request IP - #2 by thibaultcha. It’s not working for me.
a. Unset LB CIDR in trusted IPs (did not work)
b. Set field real_ip_header = X-Forwarded-For (did not work)
c. Set field real_ip_header = X-Real-IP (did not work)
d. Set real_ip_recursive = on (did not work) -
I have also tried to remove the X-Forwarded-For header in ngnix_kong.lua template as mentioned in this post -
kong/nginx_kong.lua at next · Kong/kong · GitHub
(Did not work)
How can we remove X-Forwarded-For sent by a client in an API request and set the real client IP in the X-Forwarded-For header? This means I want to discard any pre-existing value in this field and add client IP (not LB IP, but client IP)
Client → LB (L7 - AWS ALB) → Kong → Backend application [ LB → Web server ]