yyyar / gobetween

:cloud: Modern & minimalistic load balancer for the Сloud era
http://gobetween.io
Other
1.95k stars 211 forks source link

Client IP Spoof #230

Open sonofwill opened 5 years ago

sonofwill commented 5 years ago

Hello,

I would like the backend server to see the source IP of the client.

Can this be done? I have tried the transparent mode. But with this mode enabled, the backend still only sees the IP of the go-between Load balancer.

zerodayyy commented 5 years ago

That's not how an L4 load balancer works. If you spoof the source IP, the response will go directly to client from your node itself, which will mess with sessions, as the response will be sent from different IP address than the one the request was sent to. In your case, you need L3 balancing, i.e. a router with anycast IPs on your nodes.

sonofwill commented 5 years ago

I understand this. But it is easy to redirect the packets to return to the client via the load balancer.

On Thu, 22 Aug 2019 at 03:49, Dmitry Kovalenko notifications@github.com wrote:

That's not how an L4 load balancer works. If you spoof the source IP, the response will go directly to client from your node itself, which will mess with sessions, as the response will be sent from different IP address than the request was sent to. In your case, you need L3 balancing, i.e. a router with anycast IPs on your nodes.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yyyar/gobetween/issues/230?email_source=notifications&email_token=AIH4UIDXZQGUUBQGV2HVOOLQFV53ZA5CNFSM4ILILWG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD42R6VA#issuecomment-523575124, or mute the thread https://github.com/notifications/unsubscribe-auth/AIH4UIE7VOHDXVT7SQKFSVLQFV53ZANCNFSM4ILILWGQ .

zerodayyy commented 5 years ago

That would only be possible if you configure LB as the default gateway on your node. Again, this requires an L3 balancer, which gobetween is not.

On Wed, Aug 21, 2019 at 9:40 PM sonofwill notifications@github.com wrote:

I understand this. But it is easy to redirect the packets to return to the client via the load balancer.

On Thu, 22 Aug 2019 at 03:49, Dmitry Kovalenko notifications@github.com wrote:

That's not how an L4 load balancer works. If you spoof the source IP, the response will go directly to client from your node itself, which will mess with sessions, as the response will be sent from different IP address than the request was sent to. In your case, you need L3 balancing, i.e. a router with anycast IPs on your nodes.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub < https://github.com/yyyar/gobetween/issues/230?email_source=notifications&email_token=AIH4UIDXZQGUUBQGV2HVOOLQFV53ZA5CNFSM4ILILWG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD42R6VA#issuecomment-523575124 , or mute the thread < https://github.com/notifications/unsubscribe-auth/AIH4UIE7VOHDXVT7SQKFSVLQFV53ZANCNFSM4ILILWGQ

.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/yyyar/gobetween/issues/230?email_source=notifications&email_token=AL24WP62XM2HANBGN2FEEZTQFWDYTA5CNFSM4ILILWG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD42XG3Y#issuecomment-523596655, or mute the thread https://github.com/notifications/unsubscribe-auth/AL24WP2W7AHIJUJ5S6WOWMTQFWDYTANCNFSM4ILILWGQ .

nuttysquirrel commented 5 years ago

@zerodayyy it feels like you're thinking with a L4/TCP hat. UDP can work this way.

sonofwill commented 5 years ago

I have it working using another UDP load balancer.

When the UDP packets return to the client via LB, I use iptables to send it to localhost to have it handled by the application.

On Tue, 27 Aug 2019 at 14:01, quentin notifications@github.com wrote:

it feels like you're thinking with a L4/TCP hat. UDP can work this way.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yyyar/gobetween/issues/230?email_source=notifications&email_token=AIH4UICO4FKKPM4VGCCXWJLQGSRLNA5CNFSM4ILILWG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5GM5EI#issuecomment-525127313, or mute the thread https://github.com/notifications/unsubscribe-auth/AIH4UIDB3QAGKC3DOWA7AY3QGSRLNANCNFSM4ILILWGQ .

nuttysquirrel commented 5 years ago

yep, sorry - not directed at you. clarified my original comment :) i'm playing with udp stuff too... what are you using?

sonofwill commented 5 years ago

Nginx.

On Tue, 27 Aug 2019 at 14:16, quentin notifications@github.com wrote:

yep, sorry - not directed at you. clarified my original comment :) i'm playing with udp stuff too... what are you using?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yyyar/gobetween/issues/230?email_source=notifications&email_token=AIH4UICQV3DUXMJGGD3PRDTQGSTBPA5CNFSM4ILILWG2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5GNP4I#issuecomment-525129713, or mute the thread https://github.com/notifications/unsubscribe-auth/AIH4UICU72U27TXKWFLRA3DQGSTBPANCNFSM4ILILWGQ .