Getting the Actual Client IP When Using Application Load Balancer (ALB) in AWS Lambda

Getting the Actual Client IP When Using Application Load Balancer (ALB) in AWS Lambda


When I was new to AWS, I faced an interesting challenge while working on a task to digitally sign a document, which required the client’s IP as part of the e-signature. Initially, I was thrilled when the implementation seemed to work perfectly the first time. However, my excitement was short-lived. During testing, I noticed that the same IP address was being returned, even when I accessed the application from different machines. It was then that I realized the IP address I was receiving was not the actual client IP but the IP of the load balancer.

This discovery led me down a path of investigation and learning. I had to dig deeper to understand what was happening and how to retrieve the real client IP. In this blog, I will share my experience and provide a comprehensive guide on how to achieve this using AWS Lambda and Python, ensuring you can accurately capture the client’s IP address when using an Application Load Balancer (ALB).



Understanding the Challenge

When a client makes a request to your application through an ALB, the load balancer acts as an intermediary. Consequently, the IP address your application sees is that of the ALB, not the client’s. To address this, ALB includes the client’s IP in the X-Forwarded-For HTTP header. This header can contain multiple IP addresses in case the request has passed through multiple proxies.

Here’s what we need to handle:

  • Extract the Client IP: Retrieve and parse the X-Forwarded-For header.

  • Handle Multiple IPs: Ensure that we get the correct client IP even when multiple proxies are involved.



Security Consideration

The X-Forwarded-For header should be used with caution due to potential security risks. The entries can only be considered trustworthy if added by systems that are properly secured within the network. This ensures that the client IPs are not tampered with and are reliable.



Choosing the Right Tools



AWS Lambda and Python

AWS Lambda is a serverless compute service that lets you run code without provisioning or managing servers. Python, with its simplicity and readability, is an excellent choice for handling this task within a Lambda function.



Key Components

  1. AWS Lambda Function: The core function that processes incoming requests.

  2. Application Load Balancer (ALB): The load balancer that forwards requests to the Lambda function.



Implementation Details



Setting Up AWS Lambda with ALB

First, ensure your Lambda function is set up and integrated with an ALB. Follow AWS’s official guide if needed: Using Lambda functions as targets for Application Load Balancer.



Lambda Function Code

Let’s dive into the Python code for the Lambda function. This function will extract the client’s IP address from the X-Forwarded-For header.

import json

def lambda_handler(event, context):
    # Extract the 'X-Forwarded-For' header
    x_forwarded_for = event['headers'].get('x-forwarded-for')

    if x_forwarded_for:
        # The first IP in the list is the client's IP
        client_ip = x_forwarded_for.split(',')[0]
    else:
        # Fallback if header is not present
        client_ip = event['requestContext']['identity']['sourceIp']

    # Log the client IP
    print(f"Client IP: {client_ip}")

    # Respond with the client IP
    return {
        'statusCode': 200,
        'body': json.dumps({'client_ip': client_ip})
    }

Enter fullscreen mode

Exit fullscreen mode



Explanation

  • Extract the Header: Retrieve the X-Forwarded-For header from the incoming request.

  • Parse the Header: Take the first IP, which represents the client’s original IP.

  • Fallback Mechanism: Use the source IP from the request context if the header is not present.

  • Logging and Response: Log and return the client’s IP for verification.



Example Request and Response

Request:

{
    "headers": {
        "x-forwarded-for": "203.0.113.195, 70.41.3.18, 150.172.238.178"
    },
    "requestContext": {
        "identity": {
            "sourceIp": "70.41.3.18"
        }
    }
}

Enter fullscreen mode

Exit fullscreen mode

Response:

{
    "client_ip": "203.0.113.195"
}

Enter fullscreen mode

Exit fullscreen mode



Conclusion

Identifying the actual client IP in an AWS Lambda function behind an ALB requires careful handling of the X-Forwarded-For header. This approach ensures accurate IP logging and enhances the application’s ability to personalize and secure user interactions.



Refrences



Source link
lol

By stp2y

Leave a Reply

Your email address will not be published. Required fields are marked *

No widgets found. Go to Widget page and add the widget in Offcanvas Sidebar Widget Area.