search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
837 stars 359 forks source link

Add CloudFront function for injecting True-Client-Ip header to propely record client IP #195

Closed dcopestake closed 1 year ago

dcopestake commented 2 years ago

Issue #, if available: #136

This resolves the issue reported as in #136 - which was introduced in pull request #123 - by changing instead to relying on a different header True-Client-Ip and a CloudFront function to inject the value based on the client IP.

Obviously the disadvantage here is that it means there is a further step to getting everything working because when creating the CloudFront distribution cache behaviour you need to specify a function association using the ARN from the new output InjectTrueClientIPArn to actually get the header injected, but given that the bad bot protection just doesn't work at all at the moment, and the use of X-Forwarded-For for this purpose is insecure (as mentioned in pull request #123 itself), I think it's a good compromise that doesn't introduce a vulnerability.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

aijunpeng commented 2 years ago

Thanks for your contribution. We have added your request to our solution backlog items and it will be evaluated in future solution releases.

rakshb commented 1 year ago

We just released [v3.2.0] of the solution, and this issue has been fixed.

zsidez commented 6 months ago

X-Forwarded-For for this purpose is insecure (as mentioned in pull request https://github.com/aws-solutions/aws-waf-security-automations/pull/123 itself)

So this issue has not been fixed

aijunpeng commented 5 months ago

We fixed the root issue that caused the wrong source ip to be captured when X-Forwarded-For is in the client request. X-Forwarded-For is sent by client request not the solution. Sorry for the confusion, but we didn't choose to inject True-Client-Ip into client request since our goal is not to change client request but to identify and block IP offenders despite X-Forwarded-For.

zsidez commented 4 months ago

Yes, I’m not here in support of this pull request, but about the fact that there was a vulnerability that was fixed here: https://github.com/aws-solutions/aws-waf-security-automations/pull/123 , and then rolled back.

So in the end, all issues are closed and vulnerability still exists