Overridding header
Hi,
Currently my company has been using X-forwarded-for header. However, it seems this logic is susceptible to spoofing. Is there any way to essentially minimize the spoofing on our end.
I have read about adding custom headers to true-client-ip. However, please correct me if I am wrong, the true-client-ip comes from the left most ip-address from X-Forwarded-For which is still vulnerable to spoofing. Is there a better solution to this?
Thanks,
Nav
-
Hi Nav, please see the reference on: req.http.Fastly-Client-IP which is a good way to log the IP of the inbound client to Fastly. This also avoids logging the edge node cache IP instead of the client when shielding.
-
Hi Nav,
After you save "true client ip" on a new header from x-forwarder-for header, you can unset the header before the request goes to origin. So you can add VCL below on vclmiss & vclpass as these subroutines are only place the request goes to the origin.
if (req.http.x-forwarded-for){ unset bereq.http.x-forwarded-for; }
I created that on fiddle. Please take a look.
Just wanted to mention that Fastly adds/appends X-Forwarded headers when incoming request is TLS. If incoming requests have X-Forwarded headers, Fastly appends to it and if not, these headers are newly added.
Here is documents for our new headers as Richard mentioned! https://docs.fastly.com/guides/basic-configuration/adding-or-modifying-headers-on-http-requests-and-responses#common-sources-of-new-content
Let us know if you need more clarifications / advice!
Ichi
Please sign in to leave a comment.
Comments
2 comments