- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: X-Forwarded Headers for Logical Server in vSEC...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
X-Forwarded Headers for Logical Server in vSEC for AWS
I am interested to know if there is a way to enable vSEC to apply the X-Forwarded Headers to traffic destined for Logical Server objects and, subsequently, to ELB, so that the target servers could identify the origin IP of the client.
Otherwise, servers identify ELBs as origins for all sessions.
Thank you,
Vladimir
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is discussed in this SK: CloudGuard Auto Scaling for AWS:
The connections arriving at the Security Gateways have a source IP address belonging to the proxy ELB rather than the web client.
Because the ELB is acting as a TCP proxy and not as an HTTP proxy, no "X-Forwarded-For" HTTP header is present to identify and log the original client.
Instead, the ELB is set up by the CloudFormation Template to add a Proxy Protocol header.
This allows the Security Gateways to log the original client address.
My guess is if you set up the ELB correctly, it should add the appropriate header (thus we can use it).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I am reading in the section you are quoting is that there is a way to set it up, but it is alluding to a CloudFormation template.
Is there a breakdown of the configuration used by said template that will allow us to replicate same in the ELBs or a template for the ELB on its own with the proxy protocol header function added?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When in doubt, read the CloudFormation Script, which is just JSON.
Guessing this is the relevant bit:
"Policies": [
{
"PolicyName": "EnableProxyProtocol",
"PolicyType": "ProxyProtocolPolicyType",
"Attributes": [
{
"Name": "ProxyProtocol",
"Value": "true"
}
],
"InstancePorts": [
{
"Ref": "ELBPort"
}
]
}
],
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks!
Got to try it some times soon.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
XFF support is currently in the pipeline - my best guess is that it will probably be added in a future R80.30 JHF or possibly in R80.40.
Not sure exactly when, but it's coming.
Regards,
Yonatan