Prevent IP spoofing and identifying actual client ip

I have a load balancer on top of Kong. LB is redirecting the traffic to one of the kong servers in the kong cluster. Kong forwards the request to Backend service
Client → LB (L7 - AWS ALB) → Kong → Backend application [ LB → Web server ]

At the webserver, the X-Forwarded-For header is used to identify the client’s IP to allow IP-based access.

If the client sends X-Forwarded-For field in the request, it should not be honored. I need to drop the value in X-Forwarded-For header sent by the client and add the actual client IP in X-Forwarded-For. This is required to be done because anyone knowing allowed IPs should not have access to APIs. How can we do that?

Actions taken:

  1. I have tried the steps mentioned in the post - How to Forward Client's request IP - #2 by thibaultcha. It’s not working for me.
    a. Unset LB CIDR in trusted IPs (did not work)
    b. Set field real_ip_header = X-Forwarded-For (did not work)
    c. Set field real_ip_header = X-Real-IP (did not work)
    d. Set real_ip_recursive = on (did not work)

  2. I have also tried to remove the X-Forwarded-For header in ngnix_kong.lua template as mentioned in this post -
    kong/nginx_kong.lua at next · Kong/kong · GitHub
    (Did not work)

How can we remove X-Forwarded-For sent by a client in an API request and set the real client IP in the X-Forwarded-For header? This means I want to discard any pre-existing value in this field and add client IP (not LB IP, but client IP)

Client → LB (L7 - AWS ALB) → Kong → Backend application [ LB → Web server ]

Can you please help with this?

kong service配置externalTrafficPolicy改为Local, 可以实现获取客户端正式IP

@alion-wen , I am able to get the client ip appended in the XFF header. I want to clear what is already received in the XFF header and send the real client IP to the upstream service, which I am unable to do.

Do you speak Chinese? We can communicate via email ops_gavin7@163.com

I also have some questions for you about Kong


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ