Must Access Control require RemoteAddr matching?

[djenriquez]

It seems it becomes necessary that the allow: rule includes the IP of the AWS LBs, since they always become the RemoteAddr, however, this is especially painful for public LBs since those change to whatever IP at random, given:

For HTTP requests the client RemoteAddr is always validated followed by all elements of the X-Forwarded-For header, if present. When all of these elements match an allow the request will be allowed; similarly when any element matches a deny the request will be denied.

We have an unfortunate URI based routing complexity where some routes should only allow "internal" traffic, but most everything else should be public. This requires Fabio to be fronted by a public facing LB. For certain paths, we want only a defined set of IPs access, but because the access control requires the LB's IP, which is always changing, this definition becomes impossible without allowing the entirety of AWS owned IPs.

Is there a way to disable the RemoteAddr check and instead just look to see if any IPs match in X-Forwarded-For, or possibly apply OR logic instead of AND?

[djenriquez]

@leprechau, sounds like its been decided from here that RemoteAddr must always be checked eh? https://github.com/fabiolb/fabio/pull/442#discussion_r167756741

Hmmm, actually I wonder if the RemoteAddr from a public facing LB is actually its internal IP address, then this isn't an issue since we can allow the internal subnet as a whole.

[djenriquez]

Confirmed, RemoteAddr is a private IP. This isn't an issue anymore :wink:.