When I was new to AWS, I faced an interesting challenge while working on a task to digitally sign a document, which required the client’s IP as part of the e-signature. Initially, I was thrilled when the implementation seemed to work perfectly the first time. However, my excitement was short-lived. During testing, I noticed that the same IP address was being returned, even when I accessed the application from different machines. It was then that I realized the IP address I was receiving was not the actual client IP but the IP of the load balancer.
This discovery led me down a path of investigation and learning. I had to dig deeper to understand what was happening and how to retrieve the real client IP. In this blog, I will share my experience and provide a comprehensive guide on how to achieve this using AWS Lambda and Python, ensuring you can accurately capture the client’s IP address when using an Application Load Balancer (ALB).
Understanding the Challenge
When a client makes a request to your application through an ALB, the load balancer acts as an intermediary. Consequently, the IP address your application sees is that of the ALB, not the client’s. To address this, ALB includes the client’s IP in the X-Forwarded-For HTTP header. This header can contain multiple IP addresses in case the request has passed through multiple proxies.
Here’s what we need to handle:
-
Extract the Client IP: Retrieve and parse the
X-Forwarded-For
header. -
Handle Multiple IPs: Ensure that we get the correct client IP even when multiple proxies are involved.
Security Consideration
The X-Forwarded-For header should be used with caution due to potential security risks. The entries can only be considered trustworthy if added by systems that are properly secured within the network. This ensures that the client IPs are not tampered with and are reliable.
Choosing the Right Tools
AWS Lambda and Python
AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Python, with its simplicity and readability, is an excellent choice for handling this task within a Lambda function.
Key Components
-
AWS Lambda Function: The core function that processes incoming requests.
-
Application Load Balancer (ALB): The load balancer that forwards requests to the Lambda function.
Implementation Details
Setting Up AWS Lambda with ALB
First, ensure your Lambda function is set up and integrated with an ALB. Follow AWS’s official guide if needed: Using Lambda functions as targets for Application Load Balancer.
Lambda Function Code
Let’s dive into the Python code for the Lambda function. This function will extract the client’s IP address from the X-Forwarded-For header.
import json
def lambda_handler(event, context):
# Extract the 'X-Forwarded-For' header
x_forwarded_for = event['headers'].get('x-forwarded-for')
if x_forwarded_for:
# The first IP in the list is the client's IP
client_ip = x_forwarded_for.split(',')[0]
else:
# Fallback if header is not present
client_ip = event['requestContext']['identity']['sourceIp']
# Log the client IP
print(f"Client IP: {client_ip}")
# Respond with the client IP
return {
'statusCode': 200,
'body': json.dumps({'client_ip': client_ip})
}
Explanation
-
Extract the Header: Retrieve the X-Forwarded-For header from the incoming request.
-
Parse the Header: Take the first IP, which represents the client’s original IP.
-
Fallback Mechanism: Use the source IP from the request context if the header is not present.
-
Logging and Response: Log and return the client’s IP for verification.
Example Request and Response
Request:
{
"headers": {
"x-forwarded-for": "203.0.113.195, 70.41.3.18, 150.172.238.178"
},
"requestContext": {
"identity": {
"sourceIp": "70.41.3.18"
}
}
}
Response:
{
"client_ip": "203.0.113.195"
}
Conclusion
Identifying the actual client IP in an AWS Lambda function behind an ALB requires careful handling of the X-Forwarded-For
header. This approach ensures accurate IP logging and enhances the application’s ability to personalize and secure user interactions.
Refrences
Source link
lol