Amazon ELB forwarding http request changes request.RemoteAddress - amazon-web-services

We are using Amazon EC2 services to host our play application on live. I have a quite important problem with Elastic Load Balancer. In my application I need request remote address and I am using play framework controller's request.remoteAddress property for it. However on Amazon it is stored always as load balancers ip address which is misleading us as we cannot track request remote address.
Is there something like a setting in Amazon ELB Configuration for forwarded requests? In Apache i think there is a solution for that but I have skimmed through ELB documentation and could not find any clue.

i think you can use this when you a behind an proxy or load balancer:
String ip = Http.Request.current().headers.get("x-forwarded-for")

I think I found an elegant solution that Play Framework have a support such as XForwardedSupport. I am planning to test it in a short while.
Details of XForwardedSupport is here

Related

Fixed IP address for service behind aws application load balancer

our company just moved to a new office and therefore also got new network equipment. Es it turns out, our new firewall does not allow pushing routes over VPN that it first has to look up ip addresses for.
As we all know, amazon aws does not allow static ip addresses for its application load balancer.
So our idea was to simply put a network load balancer in front of the application load balancer (there is a pretty hacky way described by aws itself (https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/) that seemed to work fine (even if I don't really like the approach with the lambda script registering and deregistering targets)
So here is our problem: as it turns out, the application load balancer only gets to see the network load balancers ip address. This prevents us to use security groups for ip whitelisting which we do quite heavily. On top of that some of our applications (Nginx/PHP based) also do ip address verification and the alb used to pass the clients ip address as an x-forwarded-for header. Now our application only sees the one from the nlb.
We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve.
So how did you guys solve this problem ?
Thankful for any help :)
Greetings
You could get the list of AWS IP addresses for the region your ALB is located, and allow for them in your firewall. They do publish the list and you can filter through it https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
I haven't done this myself and I'm unsure if the addresses for ALB are included under the EC2 category of you would take the whole of AMAZON service "to be safe".
Can you expand on this? "We know of the possibility to use the global accelerator but that is a heavy investment as we don't really need what the GA is trying to solve."
GA should give you better, more consistent performance, especially if your office is far away from the AWS Region where the ALB is running

Secure Web Socket (wss) using AWS Load Balancer

I have a small nodejs application containing a web socket server.
The app is hosted inside an ecs container so it is basically a docker image running on an ec2 instance.
The web socket works as expected over ws://. I use port 5000 for this.
In order to use it on my SSL secured website (https), i need to use a secured web socket connection over wss://.
To archive that I've created a certificate on aws (like many times before) and after I create a load balancer.
I tried an application load balancer, a network load balancer and the classic load balancer (previous generation).
I read a few answers here on StackOverflow and followed the instructions as well as some tutorials found using google.
I tried a lot without success. Of course, this takes a lot of time because the creation of a load balancer and other resources takes quite a bit of time.
How I create a load balancer on aws pointing to my instance with wss://. Could someone please provide an example or instructions?
The solution posted
https://anandhub.wordpress.com/2016/10/06/websocket-ebs/ appears to work well.
Rather than selecting https and http, select the 'SSL' on port 443 and 'TCP' on your applications port (eg 5000)
You'll need to load your key/certificate via AWS and the loadbalancer will handle the secure part. I suspect you can not take advantage of 'sticky' features of the LB with this method.

Setting up a loadbalancer behind a proxy server on Google Cloud Compute engine

I am looking to build a scalable REST webservice on the Google Cloud Compute Engine but have a couple of requirements that I am not sure how best to implement.
Structure so far:
2 Instances running a REST webservice connected to a MySQL Cloud database.
(number of instances to scale up in the future)
Load balancer to split request between the two or more Instances.
this part is fine.
What I need next is that the traffic (POST requests from instances to an external webservice) must come from a single IP address. I assume these requests can not route back through the public IP of the load balancer?
I get the impression the solution to this is to route all requests from instances though a 3rd instance running squid. Is this the best way to do this? (side question)
Now to my main question:
I have been reading about ApiAxle which sounds like a nice proxy for Web Services, giving some good access control, throttling and reporting capabilities.
Can I have an instance running ApiAxle followed by a google cloud Load Balancer which shares the request from the proxy to the backend instances that do the leg work and feed the response back through the ApiAxle proxy, thus having everything though a single IP visible to clients using the API? (letting me add new instances to the pool to add capacity.)
and Would the proxy be much of a bottle neck?
Thanks in advance.
/Dave
(new to this, so sorry if its a stupid question because I cant find anything like this on the web)
Sounds like you need to NAT on your outbound traffic so it appears to come from one IP address. You need to do that via a third instance since Google LB stack doesn't provide this. GCLB works only with inbound connections on the load-balanced IP.
You can setup source-NAT using advanced routing, or you can use a proxy as you suggested.

How to use Sagepay (Direct) integration with AWS Loadbalanced

I have an ASP.NET MVC application which we have setup through Elastic Load balancer on AWS which works great.
However to take online payments via Sagepay Direct integration, we have had to setup an Elastic IP on to a 'master' instance. This is because Sagepay will only allow requests from a known IP (or IP range I believe) and as far as I know, you will never know the IP of the instance the load balancer throws you on.
Before you ask, Sagepay will not allow me to add a A or C record :(
I can live with this, BUT as my application gets busier it's a shame I cant load balance the payments system and make use of the cloud facilities (auto scaling, etc)
Any thoughts on how to achieve this scenario?
After following an AWS seminar, I was informed that AWS publish the IP ranges and these can be added to Sagepay.
Here they are for your reference! AWS EC2 IP ranges
Hope that helps!

UDP Service with amazon web services

Good Day,
I have been using AWS quite a bit for my cloud based system for a hardware project. Using SimpleDB and the notification service provided is great.
However, I need a backend on AWS that basically listens to requests coming in, processes it and sends it back to a particular address. Some kind of UDP service.
I could easily write a c#/c++ app for it, but i am not sure if I can host it on AWS. Does anyone know how this works?
Short answer: yes.
EC2 instances are just like any other virtual machine, obviously you can put in a server that listens to UDP. Configuring the network for this is, of course, slightly more complicated, but possible. The one thing making it more complicated is that with UDP you will not be able to enjoy the load balancer service that Amazon offers, as it (currently) only supports TCP-based protocols.
So, if you have one server you wish to put on the internet, the procedure is probably same as what you'd do with a TCP server: set up a server and an elastic IP pointing to it, and then have your clients connect to it (by knowing the elastic IP you've been allocated, or by referring to that IP via a DNS resolution). If you have multiple servers you wish to set up, answering the same address, life is a bit more complicated. With TCP, you could have set up an Amazon load balancer and assign your elastic IP to the load balancer. If you'd want a load balancer for UDP, the Amazon stock load balancer can't do that, but you can still find a software load balancer (there are hundreds of them on Amazon's public images library) to set up.
Nginix has an Amazon image that will load balance UDP for $2,500/yr or you can launch your own EC2 instance and use open source Nginx.
My specific use case was for a UDP logging service, if you can use hostnames Route 53 could be a scalable managed solution as well.