IP addresses for the SP behind an ALB

Wessel, Keith kwessel at illinois.edu
Sun Dec 9 13:05:12 EST 2018


I've recently hit up against one of our SPs that's moved to AWS behind an ALB. The IP address being passed to Apache and on to mod_shib is the ALB's privatenet IP, not the client's IP which is instead passed in an X-Forwarded-For header. When you have two different ALB nodes running in two different availability zones, you can obviously have flip-flopping of what IP the SP sees. The easy fix: turn off consistentAddress in the SP. That obviously turns off a good security measure, though.

Is there any way to get Apache or the SP to recognize the client's SP from the X-Forwarded-For header instead of from the TCP packet info?

I suppose other load balancers that work similarly might have the same problem. This seems like it'd be something one can convince Apache to handle, but I haven't found a way yet.


More information about the users mailing list