IP addresses for the SP behind an ALB
Andrew Morgan
morgan at orst.edu
Sun Dec 9 14:45:10 EST 2018
On Sun, 9 Dec 2018, Wessel, Keith wrote:
> All,
>
> I've recently hit up against one of our SPs that's moved to AWS behind
> an ALB. The IP address being passed to Apache and on to mod_shib is the
> ALB's privatenet IP, not the client's IP which is instead passed in an
> X-Forwarded-For header. When you have two different ALB nodes running in
> two different availability zones, you can obviously have flip-flopping
> of what IP the SP sees. The easy fix: turn off consistentAddress in the
> SP. That obviously turns off a good security measure, though.
>
> Is there any way to get Apache or the SP to recognize the client's SP
> from the X-Forwarded-For header instead of from the TCP packet info?
>
> I suppose other load balancers that work similarly might have the same
> problem. This seems like it'd be something one can convince Apache to
> handle, but I haven't found a way yet.
Keith,
We have our IDP nodes behind the AWS ALB. We use Apache on each node and
proxy the connection to Tomcat running Shibboleth. Apache's mod_remoteip
takes care of the X-Forwarded_For handling. I assume the configuration
will be similar for SPs. Here is what I added to apache2.conf:
# Process X-Forwarded-For from the load balancer
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 172.31.0.0/20
RemoteIPTrustedProxy 172.31.16.0/20
Let me know if you have any other questions.
Thanks,
Andy
More information about the users
mailing list