Honeypot doesn't detect correct IP address with CloudFront and recommended cache configuration.

[suzukyz]

Describe the bug When I configured "Cache policy and origin request policy (recommended)" is "CacheDisabled" and "AllViewerExceptHostHeader", this is recommended for API Gateway, Honeypot lambda doesn't work. Because "requestContext.identity.userAgent" of event is not "Amazon Cloudfront" in case of this setting. So, honeypot doesn't detect correct IP address. (But honeypot works in Legacy configuration of CloudFront.)

To Reproduce In CloudFront management console, please configure above cache policy for your distribution's behavior of honeypot.

Expected behavior This honeypot should detect this request is via CloudFront or not, correctly..

Please complete the following information about the solution:

• Version: v4.0.2
• Region: us-east-1
• Were there any errors in the CloudWatch Logs?: YES

Additional context If you want to modify this issue, we will modify like below in BadBotParser lambda:

• Current(L148): if event['requestContext']['identity']['userAgent'] == 'Amazon CloudFront':
• Example of fix: if event['headers']['Via'] and event['headers']['Via'].find('cloudfront') > 0:

[aijunpeng]

Thanks for reporting the issue. We are investigating this.

[aijunpeng]

@suzukyz Could you please share the BadBotParser lambda event generated after you changed the CloudFront configurations? And what is the correct source ip you would expect the honeypot to detect? is it line 149?

[suzukyz]

@aijunpeng Thank you for your quick response. This is the event in case of setting of "Cache policy and origin request policy (recommended)". I masked some parts of values. In this case, requestContext.identity.userAgent is curl/8.1.2

Event->{'resource': '/{proxy+}', 'path': '/ProdStage', 'httpMethod': 'GET', 'headers': {'Accept': '*/*', 'CloudFront-Forwarded-Proto': 'https', 'CloudFront-Is-Desktop-Viewer': 'true', 'CloudFront-Is-Mobile-Viewer': 'false', 'CloudFront-Is-SmartTV-Viewer': 'false', 'CloudFront-Is-Tablet-Viewer': 'false', 'CloudFront-Viewer-ASN': '16509', 'CloudFront-Viewer-City': 'XXXXXXXXXX', 'CloudFront-Viewer-Country': 'JP', 'CloudFront-Viewer-Country-Name': 'Japan', 'CloudFront-Viewer-Country-Region': '14', 'CloudFront-Viewer-Country-Region-Name': 'XXXXXXXX', 'CloudFront-Viewer-Latitude': 'XXXXXXXXX', 'CloudFront-Viewer-Longitude': 'XXXXXXXXX', 'CloudFront-Viewer-Postal-Code': 'XXX-XXXX', 'CloudFront-Viewer-Time-Zone': 'Asia/Tokyo', 'Host': 'xxxxxxxxxxxx.execute-api.us-east-1.amazonaws.com', 'User-Agent': 'curl/8.1.2', 'Via': '2.0 0e84d94f31561a6c5d6d0d266f8e3fd0.cloudfront.net (CloudFront), 1.1 186a60433f9963be434f24b7c3e9430c.cloudfront.net (CloudFront)', 'X-Amz-Cf-Id': '1P6CZ5_XiWSBj4XIbO1IocFPMJAdZmXHfe-oNsS27Cmu1jNHUCEmAg==', 'X-Amzn-Trace-Id': 'Root=1-65197886-225b0adf2f7e905a24691ac6', 'X-Forwarded-For': '175.xxx.xxx.xxx, 52.46.xxx.xxx, 52.46.xxx.xxx', 'X-Forwarded-Port': '443', 'X-Forwarded-Proto': 'https'}, 'multiValueHeaders': {'Accept': ['*/*'], 'CloudFront-Forwarded-Proto': ['https'], 'CloudFront-Is-Desktop-Viewer': ['true'], 'CloudFront-Is-Mobile-Viewer': ['false'], 'CloudFront-Is-SmartTV-Viewer': ['false'], 'CloudFront-Is-Tablet-Viewer': ['false'], 'CloudFront-Viewer-ASN': ['16509'], 'CloudFront-Viewer-City': ['xxxxxxxxxx'], 'CloudFront-Viewer-Country': ['JP'], 'CloudFront-Viewer-Country-Name': ['Japan'], 'CloudFront-Viewer-Country-Region': ['14'], 'CloudFront-Viewer-Country-Region-Name': ['xxxxxxxx'], 'CloudFront-Viewer-Latitude': ['xx.xxxxxxxx'], 'CloudFront-Viewer-Longitude': ['xxx.xxxxxxxx'], 'CloudFront-Viewer-Postal-Code': ['xxx-xxxx'], 'CloudFront-Viewer-Time-Zone': ['Asia/Tokyo'], 'Host': ['0ifu8uq7z3.execute-api.us-east-1.amazonaws.com'], 'User-Agent': ['curl/8.1.2'], 'Via': ['2.0 0e84d94f31561a6c5d6d0d266f8e3fd0.cloudfront.net (CloudFront), 1.1 186a60433f9963be434f24b7c3e9430c.cloudfront.net (CloudFront)'], 'X-Amz-Cf-Id': ['1P6CZ5_XiWSBj4XIbO1IocFPMJAdZmXHfe-oNsS27Cmu1jNHUCEmAg=='], 'X-Amzn-Trace-Id': ['Root=1-65197886-225b0adf2f7e905a24691ac6'], 'X-Forwarded-For': ['175.xxx.xxx.xxx, 52.46.xxx.xxx, 52.46.xxx.xxx'], 'X-Forwarded-Port': ['443'], 'X-Forwarded-Proto': ['https']}, 'queryStringParameters': None, 'multiValueQueryStringParameters': None, 'pathParameters': {'proxy': 'ProdStage'}, 'stageVariables': None, 'requestContext': {'resourceId': '6007wf', 'resourcePath': '/{proxy+}', 'httpMethod': 'GET', 'extendedRequestId': 'MH_E_GSxoAMFtWA=', 'requestTime': '01/Oct/2023:13:47:50 +0000', 'path': '/ProdStage/ProdStage', 'accountId': 'xxxxxxxxxxxx', 'protocol': 'HTTP/1.1', 'stage': 'ProdStage', 'domainPrefix': 'xxxxxxxxxxxx', 'requestTimeEpoch': 1696168070043, 'requestId': '12ae4480-3d98-42e3-a506-8550a51cc77f', 'identity': {'cognitoIdentityPoolId': None, 'accountId': None, 'cognitoIdentityId': None, 'caller': None, 'sourceIp': '52.46.xxx.xxx', 'principalOrgId': None, 'accessKey': None, 'cognitoAuthenticationType': None, 'cognitoAuthenticationProvider': None, 'userArn': None, 'userAgent': 'curl/8.1.2', 'user': None}, 'domainName': 'xxxxxxxxxxxx.execute-api.us-east-1.amazonaws.com', 'apiId': 'xxxxxxxxxxxx'}, 'body': None, 'isBase64Encoded': False}<-

And what is the correct source ip you would expect the honeypot to detect? is it line 149?

Yes. When we use CLOUDFRONT, I think our expect IP should be gotten from L149.

[aijunpeng]

Thanks for the information. We are able to replicate the issue. We have added it to our backlog and it will be addressed in the next release. Meanwhile I hope you have updated the code and have it fixed on your end.