In order to verify no one sneaks in to the queue, we added an "Access Log" print for every request.
There were many unsuccessful attempts to sneak in to the queue on the application level (for example, performing POST /register with the wrong params/tokens) but those were not logged correctly.
180 <190>1 2016-04-30T16:41:46.861652+00:00 app web.3 - - [access log] POST /register from 10.126.32.121: {"username"=>"--redacted--@--redacted--.com"}
This request is from someone who tried to guess the register's email param (i.e. the incorrect 'username' field) but on the application level log we have: "10.126.32.121" the internal private ip instead of the load balancer ip: "12.34.56.78" (example for an external IP).
Although it's possible to manually back-trance and pair the router logs and application logs, based on the internal IPs, it's very difficult on a 10 servers scale and 2x1000 log prints a second.
In order to verify no one sneaks in to the queue, we added an "Access Log" print for every request.
There were many unsuccessful attempts to sneak in to the queue on the application level (for example, performing POST
/registerwith the wrong params/tokens) but those were not logged correctly.Heroku's LB/Router Log:
Application Log:
This request is from someone who tried to guess the register's email param (i.e. the incorrect 'username' field) but on the application level log we have: "10.126.32.121" the internal private ip instead of the load balancer ip: "12.34.56.78" (example for an external IP).
Although it's possible to manually back-trance and pair the router logs and application logs, based on the internal IPs, it's very difficult on a 10 servers scale and 2x1000 log prints a second.