Varnish and AWS ALBs

[Justin Lloyd]

Hi all,

Is anyone else running Varnish behind AWS ALBs? I just encountered an issue today with how I have been using X-Forwarded-For to check against a Varnish ACL in that is more restrictive than the ALB's security group, but I realized the hard way that since X-Forwarded-For can be arbitrarily set, a malicious actor can set it to an address that is permitted by the Varnish ACL, whether through guessing or other knowledge. Since Varnish gets XFF from the ALB, which in turn trusts existing XFF headers, you can't then really trust client.ip since it's just taken from XFF. Unless I'm missing something...

I've opened a support case with AWS to see if there's a way to configure an ALB to not trust XFF and use the IP from the original TCP connection, but I'm not hopeful. I'll likely have to go back to using two ALBs rather than one relatively open one and one with a Varnish ACL for tigher controls to a certain subset of the web sites behind the single ALB.

Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20210819/65d6f392/attachment.html>