Forum

Load Balancer - X-Forwarded-for

Aquanet
19 December 2014, 21:52
Hello Hugo,

We are running several servers with hiawatha behind load balancer.

The problem we are getting is that hiawatha considers Load Balancer IP as visitor IP and performs bans and request limitations on the Load Balancer IP, instead of the real ip of the user.

Is there any way to specify that hiawatha should be using X-Forwarded-for IP instead of the Load Balancing one?

Regards
Andrew
Hugo Leisink
20 December 2014, 11:29
Hi Andrew. That is not possible. The load balancer should do the banning. The reason for this is as follows. The reason for banning clients is because they misbehaved and you don't want to waste time and resources on them. A request forwarded by a load balancer / reverse proxy contains the IP address of the actual client, by inside the HTTP request: the X-Forwarded(-For) header. So, if Hiawatha wants to know that IP address, it must accept the request and parse it. In other words: spend time and resources on that request. That makes the idea of banning a bit pointless.

So, if Hiawatha is behind a load balancer / reverse proxy / SSL offloader, disable the banning. The system with the direct internet connection should do the banning (if capable).
Aquanet
20 December 2014, 15:58
Hello Hugo,

The problem is that the Load Balancer cannot perform the security features, like XSS, SQL injection prevention etc. While it would be best if it was possible to ban correct ips due to SQL injections etc.

Similar nginx module: http://nginx.org/en/docs/http/ngx_http_realip_module.html

Regards
Andrew
Hugo Leisink
21 December 2014, 11:37
I will see what I can do, but no promises yet. Have to look into the impact.
Aquanet
23 December 2014, 20:16
Hello Hugo,

Does hiawatha pass all headers intact? If load balancer adds x-forwarded-for header, does hiawatha pass it onto end web server in reverse proxy mode?

Regards
Andrew
Aquanet
23 December 2014, 21:18
Looks like it does, we have verified the headers and were able to resolve the issue
Aquanet
24 December 2014, 14:40
Hello Hugo,

Sorry, the initial problem isnt resolved. Load balancer passes real ip in the x-forwarded-for header, which hiawatha passes correctly onto end web server.

However, we stll can't enable security features due to hiawatha using load balancer ips for checks.

Regards
Andrew
Hugo Leisink
24 December 2014, 14:43
Send me your e-mail address, then I'll send you a v9.10 beta which should solve this issue.

I'm also still waiting for your answer to this post.
Aquanet
25 December 2014, 21:39
Hello Hugo,

Sent you email yesterday, Merry Christmas and thank you!

Regards
Andrew
This topic has been closed.