IP addresses for the SP behind an ALB

Nate Klingenstein ndk at signet.id
Sun Dec 9 17:09:21 EST 2018


In addition to Andy's answer, you should be able to do this within the SP itself if need be by setting the REMOTE_ADDR attribute to match the header variable in content settings.


Take care,

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Wessel, Keith
Sent: Sunday, December 9, 2018 11:05 AM
To: users at shibboleth.net
Subject: IP addresses for the SP behind an ALB


I've recently hit up against one of our SPs that's moved to AWS behind an ALB. The IP address being passed to Apache and on to mod_shib is the ALB's privatenet IP, not the client's IP which is instead passed in an X-Forwarded-For header. When you have two different ALB nodes running in two different availability zones, you can obviously have flip-flopping of what IP the SP sees. The easy fix: turn off consistentAddress in the SP. That obviously turns off a good security measure, though.

Is there any way to get Apache or the SP to recognize the client's SP from the X-Forwarded-For header instead of from the TCP packet info?

I suppose other load balancers that work similarly might have the same problem. This seems like it'd be something one can convince Apache to handle, but I haven't found a way yet.


For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list