IP addresses for the SP behind an ALB

Andrew Morgan morgan at orst.edu
Sun Dec 9 14:45:10 EST 2018

On Sun, 9 Dec 2018, Wessel, Keith wrote:

> All,
> I've recently hit up against one of our SPs that's moved to AWS behind 
> an ALB. The IP address being passed to Apache and on to mod_shib is the 
> ALB's privatenet IP, not the client's IP which is instead passed in an 
> X-Forwarded-For header. When you have two different ALB nodes running in 
> two different availability zones, you can obviously have flip-flopping 
> of what IP the SP sees. The easy fix: turn off consistentAddress in the 
> SP. That obviously turns off a good security measure, though.
> Is there any way to get Apache or the SP to recognize the client's SP 
> from the X-Forwarded-For header instead of from the TCP packet info?
> I suppose other load balancers that work similarly might have the same 
> problem. This seems like it'd be something one can convince Apache to 
> handle, but I haven't found a way yet.


We have our IDP nodes behind the AWS ALB.  We use Apache on each node and 
proxy the connection to Tomcat running Shibboleth.  Apache's mod_remoteip 
takes care of the X-Forwarded_For handling.  I assume the configuration 
will be similar for SPs.  Here is what I added to apache2.conf:

   # Process X-Forwarded-For from the load balancer
   RemoteIPHeader X-Forwarded-For

Let me know if you have any other questions.


More information about the users mailing list