IP addresses for the SP behind an ALB
Wessel, Keith
kwessel at illinois.edu
Thu Dec 13 22:42:41 EST 2018
Thanks, Nate and Andy, for the help on tis. We used Andy's suggestion, and it worked great. We also modified the Apache log format to use the client's IP rather than that of the ALB in log messages. Thought I'd mention that here for posterity's sake since that's an extra step that wasn't mentioned.
Thanks again,
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Nate Klingenstein
Sent: Sunday, December 9, 2018 4:09 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: IP addresses for the SP behind an ALB
Keith,
In addition to Andy's answer, you should be able to do this within the SP itself if need be by setting the REMOTE_ADDR attribute to match the header variable in content settings.
https://wiki.shibboleth.net/confluence/display/SP3/ContentSettings
Take care,
Nate.
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Wessel, Keith
Sent: Sunday, December 9, 2018 11:05 AM
To: users at shibboleth.net
Subject: IP addresses for the SP behind an ALB
All,
I've recently hit up against one of our SPs that's moved to AWS behind an ALB. The IP address being passed to Apache and on to mod_shib is the ALB's privatenet IP, not the client's IP which is instead passed in an X-Forwarded-For header. When you have two different ALB nodes running in two different availability zones, you can obviously have flip-flopping of what IP the SP sees. The easy fix: turn off consistentAddress in the SP. That obviously turns off a good security measure, though.
Is there any way to get Apache or the SP to recognize the client's SP from the X-Forwarded-For header instead of from the TCP packet info?
I suppose other load balancers that work similarly might have the same problem. This seems like it'd be something one can convince Apache to handle, but I haven't found a way yet.
Thanks,
Keith
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list